CVE-2026-25997

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25997
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25997.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-25997
Aliases
  • GHSA-q5j3-m6jf-3jq4
Downstream
Related
Published
2026-02-25T20:38:40.483Z
Modified
2026-04-11T03:29:12.065126Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
FreeRDP has heap-use-after-free in xf_clipboard_format_equal
Details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, xf_clipboard_format_equal reads freed lastSentFormats memory because xf_clipboard_formats_free (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in xf_clipboard_changed, triggering a heap use after free. Version 3.23.0 fixes the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-416"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25997.json"
}
References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type
GIT
Repo
https://github.com/freerdp/freerdp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b933ae18d9ad2a1d73c610868fcc30eb61654070
Fixed
58409406afe7c2a8a71ed2dc8e22075be4f41c0c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.23.0"
        }
    ]
}

Affected versions

1.*
1.0-beta1
1.0-beta2
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9
2.*
2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-rc0
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1

Database specific

vanir_signatures_modified 
"2026-04-11T03:29:12Z"
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25997.json"
vanir_signatures 
[
    {
        "target": {
            "function": "xf_cliprdr_monitor_ready",
            "file": "client/X11/xf_cliprdr.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 419.0,
            "function_hash": "195849574162932588145718783437253003595"
        },
        "id": "CVE-2026-25997-25d86b87",
        "source": "https://github.com/freerdp/freerdp/commit/58409406afe7c2a8a71ed2dc8e22075be4f41c0c",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "client/X11/xf_cliprdr.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "213134136836180262365431837827228730461",
                "277752843233953448648189769488259531807",
                "4964755656961635326905751501448807356",
                "108864957116009187920511780557764778242",
                "315943788099464136332529350953945905405",
                "248374935966901917132843977254113233595",
                "10244202000254632556120268878885523237",
                "234628572719705076252523942131172036233",
                "55990807952088988161917268347216149190",
                "298881736267022793904247585657603751224",
                "46650901616901917821578809886350007354",
                "298292769769841049615805825273001898253",
                "327066214340680784749134499370173748622",
                "72550550739841773298717687094663279216",
                "71747830891949038026006767757655546066",
                "223822752226424211273268088594268624193",
                "124832886688866327895298760551761521092",
                "253537164236478619529944105598025493461",
                "110073672116881815492195304918401154298"
            ]
        },
        "id": "CVE-2026-25997-c249e9fb",
        "source": "https://github.com/freerdp/freerdp/commit/58409406afe7c2a8a71ed2dc8e22075be4f41c0c",
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "xf_clipboard_formats_free",
            "file": "client/X11/xf_cliprdr.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 202.0,
            "function_hash": "236834648570296669487754527101298463963"
        },
        "id": "CVE-2026-25997-f0d189d9",
        "source": "https://github.com/freerdp/freerdp/commit/58409406afe7c2a8a71ed2dc8e22075be4f41c0c",
        "signature_type": "Function"
    }
]