CVE-2026-25959

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, xf_cliprdr_provide_data_ passes freed pDstData to XChangeProperty because the cliprdr channel thread calls xf_cliprdr_server_format_data_response which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls xf_cliprdr_clear_cached_data → HashTable_Clear which frees the same data via xf_cached_data_free, triggering a heap use after free. Version 3.23.0 fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-416"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25959.json"
}

References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type: GIT
Repo: https://github.com/freerdp/freerdp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b933ae18d9ad2a1d73c610868fcc30eb61654070

Affected versions

1.*

1.0-beta1

1.0-beta2

1.0-beta3

1.0-beta4

1.0-beta5

1.0.0

1.0.1

1.1.0-beta+2013071101

1.1.0-beta1

1.1.0-beta1+android2

1.1.0-beta1+android3

1.1.0-beta1+android4

1.1.0-beta1+android5

1.1.0-beta1+ios1

1.1.0-beta1+ios2

1.1.0-beta1+ios3

1.1.0-beta1+ios4

1.2.0-beta1+android7

1.2.0-beta1+android9

2.*

2.0.0

2.0.0-beta1+android10

2.0.0-beta1+android11

2.0.0-rc0

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

3.*

3.0.0

3.0.0-beta1

3.0.0-beta2

3.0.0-beta3

3.0.0-beta4

3.0.0-rc0

3.1.0

3.10.0

3.10.1

3.10.2

3.10.3

3.11.0

3.11.1

3.12.0

3.13.0

3.14.0

3.14.1

3.15.0

3.16.0

3.17.0

3.17.1

3.17.2

3.18.0

3.19.0

3.19.1

3.2.0

3.20.0

3.20.1

3.20.2

3.21.0

3.22.0

3.3.0

3.4.0

3.5.0

3.5.1

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25959.json"