Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Heap Use-After-Free
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a heap-use-after-free in the FreeRDP function xf_cliprdr_provide_data_. During a clipboard transfer, the client processes data in two threads: the cliprdr channel thread that prepares the data and the X11 event thread that clears cached data. The lack of a lock allows the first thread to use a pointer after the memory has been freed by the second thread, corrupting the heap. If an attacker can control the clipboard content or timing, they could trigger this memory corruption to crash the client or execute arbitrary code in the context of the running user. The bug is specific to the memory handling of clipboard data and does not affect authentication or network traffic directly.

Affected Systems

All installations of the FreeRDP client before version 3.23.0 are affected. This includes any build that links against the xf_cliprdr module for X11, which is used by most desktop and headless deployments of FreeRDP. Systems that ship or compile the older mainline source will be vulnerable unless they apply the patch that became part of the 3.23.0 release.

Risk and Exploitability

The CVSS v3 score of 5.5 indicates moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation in the wild at present. The flaw is not listed in CISA’s KEV catalog. Exploitation requires an active RDP session with clipboard redirection enabled and the ability to send improperly formed clipboard data. If achieved, the attack would land in the local user’s process space, potentially allowing privilege escalation or privilege-bound code execution. However, the low exploitation probability and moderate impact suggest a cautious but proactive stance.

Generated by OpenCVE AI on April 17, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeRDP client to version 3.23.0 or later, which removes the heap-use-after-free bug.
  • If an upgrade cannot be performed immediately, disable clipboard redirection or the cliprdr channel to prevent the flaw from being exercised.
  • Ensure that any custom clipboard handling or third‑party extensions are removed or updated to use the patched code base.

Generated by OpenCVE AI on April 17, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Title FreeRDP has heap-use-after-free in xf_cliprdr_provide_data_
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:52:24.977Z

Reserved: 2026-02-09T17:13:54.066Z

Link: CVE-2026-25959

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:42.023

Modified: 2026-02-27T14:52:51.210

Link: CVE-2026-25959

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:36:09Z

Links: CVE-2026-25959 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses