CVE-2026-44422 - Vulnerability Details

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

Published: 2026-05-29

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

FreeRDP’s RDPEAR NDR parser incorrectly handles pointer ref‑ids, allowing a malicious Remote Desktop server to reuse the same ref‑id across multiple pointer fields. The parser allocates the same heap object for both fields, and the subsequent destructor frees that object twice, creating a heap use‑after‑free or double‑free. An attacker can exploit this flaw to corrupt the client’s memory and potentially execute arbitrary code while the user is authenticating to an RDP session. The weakness is a classic double‑free error (CWE‑415) and a use‑after‑free scenario (CWE‑416).

Affected Systems

All versions of the FreeRDP client older than 3.26.0 are affected. The product is the FreeRDP Remote Desktop client, provided by the open‑source FreeRDP project. No other vendors or product lines are listed as impacted.

Risk and Exploitability

The CVSS score of 7.5 denotes medium‑to‑high severity. The EPSS score is not available, indicating no publicly known recent exploitation trend, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred from the description: a malicious RDP server that sends an authentication‑redirection request can trigger the flaw during the client’s parsing of the RDPEAR message. Successful exploitation would require the client to be connected to a server that is controlled by an attacker and that sends crafted data. Once triggered, the attacker could achieve code execution or other memory corruption effects on the client machine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeRDP

affected

Version	Status	Constraints
`< 3.26.0`	affected	—

No data.

Vendor Product Confidence Versions

Freerdp

100%

Version	Status	Scheme	Platform
`[0,3.26.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the FreeRDP client to version 3.26.0 or later, which contains the full fix for the RDPEAR NDR parser flaw.
If an immediate upgrade is not feasible, restrict Remote Desktop connections to known, trusted IP addresses by configuring firewall or network segmentation to reduce exposure to untrusted RDP servers.
Continuously monitor client logs for unexpected authentication‑redirection attempts and apply general best practices for RDP, such as enforcing TLS encryption and verifying server certificates, to mitigate similar protocol‑level attacks.

Generated by OpenCVE AI on May 29, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v

History

Fri, 29 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freerdp Freerdp freerdp
Vendors & Products		Freerdp Freerdp freerdp

Fri, 29 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.
Title		FreeRDP RDPEAR NDR ref-id aliasing causes client-side UAF/double-free and type confusion
Weaknesses		CWE-415 CWE-416
References		https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Freerdp Freerdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T19:41:46.829Z

Updated: 2026-05-29T19:41:46.829Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44422

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:24.660

Modified: 2026-05-29T20:22:37.383

Link: CVE-2026-44422

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object