CVE-2026-25997

CVE-2026-25997 is a heap use-after-free vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The issue affects versions prior to 3.23.0 and occurs in the X11 client module's clipboard handling code within the cliprdr channel. Specifically, the function `xf_clipboard_format_equal` reads from the freed `lastSentFormats` memory array, which is deallocated by `xf_clipboard_formats_free` in the cliprdr channel thread during an auto-reconnect scenario. Meanwhile, the X11 event thread concurrently iterates over the same array in `xf_clipboard_changed`, leading to the use-after-free condition classified under CWE-416. The vulnerability carries a CVSS v3.1 base score of 9.8.

A remote attacker can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. By manipulating clipboard operations during an RDP auto-reconnect, the attacker can trigger the race condition between the cliprdr channel thread and the X11 event thread. Successful exploitation could result in high-impact consequences, including arbitrary code execution, data disclosure, or denial of service, as indicated by the CVSS impact metrics for confidentiality, integrity, and availability.

The patch in FreeRDP version 3.23.0 resolves the issue, with relevant code changes visible in the project's GitHub repository at specific lines in `client/X11/xf_cliprdr.c` (e.g., lines 1884, 1889, 265, 616, and 831). Security practitioners should prioritize upgrading affected FreeRDP installations to version 3.23.0 or later to mitigate the vulnerability.