NIXPKGS-2026-0363
GitHub issue
published on 27 Feb 2026
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
FreeRDP has heap-use-after-free in xf_cliprdr_provide_data_
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78xg-v4p2-4w3c x_refsource_CONFIRM
- https://github.com/FreeRDP/FreeRDP/commit/d3e8b3b9365be96a4f11dda149d71b3287227d0a x_refsource_MISC
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L1229-L1243 x_refsource_MISC
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L1337-L1344 x_refsource_MISC
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L200-L208 x_refsource_MISC
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2295 x_refsource_MISC
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2323-L2334 x_refsource_MISC
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2363 x_refsource_MISC
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L933 x_refsource_MISC
Affected products
FreeRDP
- ==< 3.23.0
Package maintainers
-
@peterhoeg Peter Hoeg <peter@hoeg.com>