CVE-2026-25997
Received Received - Intake
Use-After-Free Vulnerability in FreeRDP Clipboard Handling

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25997
EUVD
EUVD-2026-8737
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25997 is a heap use-after-free vulnerability in FreeRDP's X11 clipboard handling code. It occurs because two threads access clipboard data concurrently without proper synchronization. Specifically, the cliprdr channel thread frees the clipboard formats array during an auto-reconnect event, while the X11 event thread simultaneously iterates over this now-freed memory. This race condition leads to reading freed memory, which can cause crashes or memory corruption."}, {'type': 'paragraph', 'content': 'The vulnerability arises in the function `xf_clipboard_format_equal` which reads from the `lastSentFormats` array after it has been freed by `xf_clipboard_formats_free`. The issue is due to the lack of locking between the threads accessing this shared data.'}] [3]

Impact Analysis

This vulnerability can be exploited by a malicious RDP server to cause a heap use-after-free on the client side. The immediate impact includes application crashes leading to denial of service.

Beyond crashes, depending on the memory allocator and heap layout, this vulnerability could potentially be leveraged to execute arbitrary code on the client machine, escalating the severity from moderate to critical in some scenarios.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a heap use-after-free in the FreeRDP client related to clipboard handling in the X11 client. Detection involves monitoring for crashes or abnormal behavior in FreeRDP versions prior to 3.23.0, especially during auto-reconnect events or clipboard operations.

Since the issue arises from a race condition between threads accessing clipboard data, dynamic analysis tools like AddressSanitizer (ASan) can detect heap-use-after-free reads in the function `xf_clipboard_format_equal` during concurrent clipboard ownership changes.

There are no specific network commands or signatures provided to detect exploitation attempts on the network.

For system-level detection, running FreeRDP under AddressSanitizer or similar memory error detection tools during clipboard activity and auto-reconnect can help identify the vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by introducing proper synchronization between threads accessing clipboard formats.

If upgrading is not immediately possible, avoid using clipboard redirection features or auto-reconnect functionality in FreeRDP to reduce the risk of triggering the race condition.

Monitoring and restricting connections to untrusted RDP servers can also reduce exposure, as exploitation requires a malicious RDP server to trigger the race condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart