CVE-2026-25959
Received Received - Intake
Use-After-Free in FreeRDP Clipboard Handling Causes Heap Corruption

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` β†’ `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25959
EUVD
EUVD-2026-8736
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25959 is a heap-use-after-free vulnerability in the FreeRDP client, specifically in the X11 clipboard redirection component (xf_cliprdr). The issue occurs because one thread passes clipboard data to the X11 function XChangeProperty while another thread concurrently frees that same data. This race condition happens due to lack of synchronization between the cliprdr channel thread and the X11 event thread when accessing and clearing cached clipboard data.

Technically, the cliprdr channel thread allocates clipboard data and inserts it into a cache, then passes it to XChangeProperty without holding a lock. Meanwhile, the X11 event thread may clear the clipboard cache and free the data concurrently. This leads to XChangeProperty operating on freed memory, causing a heap-use-after-free.

The root cause is missing locking around the critical section that inserts and provides clipboard data, which was fixed by adding proper locking to prevent concurrent access.

Impact Analysis

This vulnerability can be exploited by a malicious RDP server to cause the FreeRDP client to crash, resulting in a denial of service.

Additionally, because the vulnerability involves heap corruption, it may potentially allow an attacker to execute arbitrary code on the client system depending on the heap allocator behavior and memory layout.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for heap use-after-free errors in the FreeRDP client, specifically related to clipboard operations on X11. One practical way to detect it is by running FreeRDP with AddressSanitizer (ASan) enabled, which can catch use-after-free issues during concurrent clipboard operations.

To reproduce or detect the issue, you can perform stress tests on the clipboard channel by spamming clipboard writes and reads to trigger concurrent cache clearing and data responses.

There are no specific network commands provided to detect this vulnerability directly, but monitoring FreeRDP client logs for crashes or heap corruption during clipboard use can be indicative.

Mitigation Strategies

The immediate mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability has been fixed by adding proper locking around clipboard cache access to prevent concurrent use-after-free conditions.

If upgrading is not immediately possible, avoid using clipboard redirection features in FreeRDP when connecting to untrusted RDP servers, as the vulnerability can be exploited by a malicious server.

Additionally, monitoring and restricting RDP server connections to trusted sources can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart