CVE-2026-25959

CVE-2026-25959 is a heap use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. It affects versions prior to 3.23.0, specifically in the X11 client's clipboard redirection component within xf_cliprdr.c. The flaw occurs because the function xf_cliprdr_provide_data_ passes a freed pDstData pointer to XChangeProperty; this stems from a race condition where the cliprdr channel thread calls xf_cliprdr_server_format_data_response to convert and use clipboard data without holding a lock, while the X11 event thread concurrently invokes xf_cliprdr_clear_cached_data, leading to HashTable_Clear and xf_cached_data_free on the same data.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. A remote unauthenticated attacker can trigger it by establishing an RDP connection with clipboard redirection enabled to a vulnerable FreeRDP client, manipulating clipboard data to induce the race condition and cause a use-after-free. Successful exploitation could enable arbitrary code execution, high-integrity data modification, or denial of service.

FreeRDP version 3.23.0 resolves the issue. Code references in the FreeRDP GitHub repository highlight the problematic locations, including lines around xf_cliprdr_provide_data_ (L1229-L1243, L1337-L1344), data handling (L200-L208, L2295), and freeing logic (L2323-L2334).