CVE-2026-25997: Freerdp Xf Cliprdr Free Last Sent Formats Without X11 Lock
xf_cliprdr_free_formats is called on $C->lastSentFormats without the surrounding xf_lock_x11/xf_unlock_x11 pair. The cliprdr channel thread can free this array while the X11 event thread concurrently iterates it in xf_clipboard_changed / xf_clipboard_format_equal, producing a heap use-after-free (CVE-2026-25997, CWE-416). Serialize the free with xf_lock_x11(
greprules fetch cve-2026-25997-freerdp-xf-cliprdr-free-last-sent-formats-without-x11-lock --engine opengrepDescription
xf_cliprdr_free_formats is called on $C->lastSentFormats without the surrounding xf_lock_x11/xf_unlock_x11 pair. The cliprdr channel thread can free this array while the X11 event thread concurrently iterates it in xf_clipboard_changed / xf_clipboard_format_equal, producing a heap use-after-free (CVE-2026-25997, CWE-416). Serialize the free with xf_lock_x11(
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.