Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential memory corruption due to a heap use‑after‑free
Action: Patch Now
AI Analysis

Impact

FreeRDP implementations before version 3.23.0 contain a heap use‑after‑free flaw in the clipboard handling function xf_clipboard_format_equal. The function reads memory that has already been freed by xf_clipboard_formats_free, which is invoked from the cliprdr channel thread during auto‑reconnect while another thread is iterating the same data. This can corrupt memory and may lead to a crash or, in the worst case, remote code execution if an attacker can control the freed data. The weakness is described as CWE‑416 and the lack of proper synchronization is identified as CWE‑825.

Affected Systems

The flaw affects the FreeRDP client application. Any installed instance of the open‑source Remote Desktop Protocol client that runs a version older than 3.23.0 is vulnerable. The issue resides in the X11 clipboard implementation module of the client.

Risk and Exploitability

The entry carries a CVSS score of 5.5, indicating moderate impact. The EPSS score is below 1 %, suggesting a low probability of exploitation at this time. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack is most likely triggered when a remote desktop session exchanges clipboard data; a malicious server could potentially trigger the flaw by sending specially crafted clipboard packets. Because the condition depends on concurrent thread activity, the exact exploitation path is non‑trivial, but the defect remains a legitimate risk for systems that rely on the clipboard functionality and has the potential to affect confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 17, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.23.0 or later to eliminate the use‑after‑free flaw
  • If an upgrade must be delayed, temporarily disable the clipboard feature in the client configuration to prevent the vulnerable code path from executing
  • Apply and test the updated client in a controlled environment before deploying it to production to confirm that clipboard operations function as expected and that no additional crashes occur

Generated by OpenCVE AI on April 17, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Title FreeRDP has heap-use-after-free in xf_clipboard_format_equal
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:39:08.071Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-25997

cve-icon Vulnrichment

Updated: 2026-02-25T21:39:01.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:42.210

Modified: 2026-02-27T14:57:09.820

Link: CVE-2026-25997

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:38:40Z

Links: CVE-2026-25997 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses