Home / Vulnerability Intelligence / CVE-2026-25959

CVE-2026-25959 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 27, 2026

FreeRDP - Use After Free

Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

FreeRDP < 3.23.0 contains a use after free vulnerability caused by concurrent access to clipboard data in xf_cliprdr_provide_data_ and X11 event threads, letting remote attackers cause heap corruption, exploit requires concurrent clipboard usage.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 8.3%(Probability of exploitation in next 30 days)

Impact

Attackers can cause heap corruption leading to potential application crashes or arbitrary code execution.

Mitigation

Update to version 3.23.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 1, 2026

🔴 CVE-2026-25959 - Critical (9.8) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` whi... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25959/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-25959
Severity: Critical
CVSS Score: 9.8
Type: use_after_free
Status: confirmed
EPSS: 8.3%
Social Posts: 1

CWE

CWE-416

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

8.3%Probability of exploitation in the next 30 days