CVE-2026-25959
Use-After-Free in FreeRDP Clipboard Handling Causes Heap Corruption
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25959 is a heap-use-after-free vulnerability in the FreeRDP client, specifically in the X11 clipboard redirection component (xf_cliprdr). The issue occurs because one thread passes clipboard data to the X11 function XChangeProperty while another thread concurrently frees that same data. This race condition happens due to lack of synchronization between the cliprdr channel thread and the X11 event thread when accessing and clearing cached clipboard data.
Technically, the cliprdr channel thread allocates clipboard data and inserts it into a cache, then passes it to XChangeProperty without holding a lock. Meanwhile, the X11 event thread may clear the clipboard cache and free the data concurrently. This leads to XChangeProperty operating on freed memory, causing a heap-use-after-free.
The root cause is missing locking around the critical section that inserts and provides clipboard data, which was fixed by adding proper locking to prevent concurrent access.
How can this vulnerability impact me? :
This vulnerability can be exploited by a malicious RDP server to cause the FreeRDP client to crash, resulting in a denial of service.
Additionally, because the vulnerability involves heap corruption, it may potentially allow an attacker to execute arbitrary code on the client system depending on the heap allocator behavior and memory layout.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for heap use-after-free errors in the FreeRDP client, specifically related to clipboard operations on X11. One practical way to detect it is by running FreeRDP with AddressSanitizer (ASan) enabled, which can catch use-after-free issues during concurrent clipboard operations.
To reproduce or detect the issue, you can perform stress tests on the clipboard channel by spamming clipboard writes and reads to trigger concurrent cache clearing and data responses.
There are no specific network commands provided to detect this vulnerability directly, but monitoring FreeRDP client logs for crashes or heap corruption during clipboard use can be indicative.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability has been fixed by adding proper locking around clipboard cache access to prevent concurrent use-after-free conditions.
If upgrading is not immediately possible, avoid using clipboard redirection features in FreeRDP when connecting to untrusted RDP servers, as the vulnerability can be exploited by a malicious server.
Additionally, monitoring and restricting RDP server connections to trusted sources can reduce the risk of exploitation.