CVE-2026-25959
Published: 25 February 2026
Summary
CVE-2026-25959 is a critical-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation by patching to FreeRDP version 3.23.0, directly eliminating the heap use-after-free vulnerability.
Implements memory protections such as ASLR, DEP, and hardened allocators to mitigate exploitation of the use-after-free for code execution.
Restricts non-essential functions like clipboard redirection in RDP clients, preventing the multi-threaded race condition from being triggered.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap use-after-free in FreeRDP client clipboard redirection enables remote arbitrary code execution via client-side exploitation.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the…
more
X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Deeper analysisAI
CVE-2026-25959 is a heap use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. It affects versions prior to 3.23.0, specifically in the X11 client's clipboard redirection component within xf_cliprdr.c. The flaw occurs because the function xf_cliprdr_provide_data_ passes a freed pDstData pointer to XChangeProperty; this stems from a race condition where the cliprdr channel thread calls xf_cliprdr_server_format_data_response to convert and use clipboard data without holding a lock, while the X11 event thread concurrently invokes xf_cliprdr_clear_cached_data, leading to HashTable_Clear and xf_cached_data_free on the same data.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. A remote unauthenticated attacker can trigger it by establishing an RDP connection with clipboard redirection enabled to a vulnerable FreeRDP client, manipulating clipboard data to induce the race condition and cause a use-after-free. Successful exploitation could enable arbitrary code execution, high-integrity data modification, or denial of service.
FreeRDP version 3.23.0 resolves the issue. Code references in the FreeRDP GitHub repository highlight the problematic locations, including lines around xf_cliprdr_provide_data_ (L1229-L1243, L1337-L1344), data handling (L200-L208, L2295), and freeing logic (L2323-L2334).
Details
- CWE(s)