FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 25 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Title FreeRDP has heap-use-after-free in xf_clipboard_format_equal
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:39:08.071Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-25997

cve-icon Vulnrichment

Updated: 2026-02-25T21:39:01.960Z

cve-icon NVD

Status : Received

Published: 2026-02-25T21:16:42.210

Modified: 2026-02-25T22:16:23.913

Link: CVE-2026-25997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses