CVE-2026-25997
Use-After-Free Vulnerability in FreeRDP Clipboard Handling
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25997 is a heap use-after-free vulnerability in FreeRDP's X11 clipboard handling code. It occurs because two threads access clipboard data concurrently without proper synchronization. Specifically, the cliprdr channel thread frees the clipboard formats array during an auto-reconnect event, while the X11 event thread simultaneously iterates over this now-freed memory. This race condition leads to reading freed memory, which can cause crashes or memory corruption."}, {'type': 'paragraph', 'content': 'The vulnerability arises in the function `xf_clipboard_format_equal` which reads from the `lastSentFormats` array after it has been freed by `xf_clipboard_formats_free`. The issue is due to the lack of locking between the threads accessing this shared data.'}] [3]
How can this vulnerability impact me? :
This vulnerability can be exploited by a malicious RDP server to cause a heap use-after-free on the client side. The immediate impact includes application crashes leading to denial of service.
Beyond crashes, depending on the memory allocator and heap layout, this vulnerability could potentially be leveraged to execute arbitrary code on the client machine, escalating the severity from moderate to critical in some scenarios.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a heap use-after-free in the FreeRDP client related to clipboard handling in the X11 client. Detection involves monitoring for crashes or abnormal behavior in FreeRDP versions prior to 3.23.0, especially during auto-reconnect events or clipboard operations.
Since the issue arises from a race condition between threads accessing clipboard data, dynamic analysis tools like AddressSanitizer (ASan) can detect heap-use-after-free reads in the function `xf_clipboard_format_equal` during concurrent clipboard ownership changes.
There are no specific network commands or signatures provided to detect exploitation attempts on the network.
For system-level detection, running FreeRDP under AddressSanitizer or similar memory error detection tools during clipboard activity and auto-reconnect can help identify the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by introducing proper synchronization between threads accessing clipboard formats.
If upgrading is not immediately possible, avoid using clipboard redirection features or auto-reconnect functionality in FreeRDP to reduce the risk of triggering the race condition.
Monitoring and restricting connections to untrusted RDP servers can also reduce exposure, as exploitation requires a malicious RDP server to trigger the race condition.