Home / Vulnerability Intelligence / CVE-2026-25997

CVE-2026-25997 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 27, 2026

FreeRDP - Use After Free

Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

FreeRDP < 3.23.0 contains a use after free vulnerability caused by concurrent access to freed clipboard format memory in xf_clipboard_format_equal and xf_clipboard_formats_free, letting attackers cause heap corruption or crash, exploit requires concurrent clipboard activity during auto-reconnect.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 8.8%(Probability of exploitation in next 30 days)

Impact

Attackers can cause heap corruption or application crash, potentially leading to denial of service or code execution.

Mitigation

Update to version 3.23.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 1, 2026

🔴 CVE-2026-25997 - Critical (9.8) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reco... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25997/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-25997
Severity: Critical
CVSS Score: 9.8
Type: use_after_free
Status: confirmed
EPSS: 8.8%
Social Posts: 1

CWE

CWE-416

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

8.8%Probability of exploitation in the next 30 days