CVE-2026-44422

7.5 HIGH

FreeRDP is a free implementation of the Remote Desktop Protocol

Published: 2026-05-29 · Last updated: 2026-06-01

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-415, CWE-416

Affected products

Vendor	Product
freerdp	freerdp

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44422
[Vendor advisory]https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v
[Vendor advisory]https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v

Related CVEs

Same vendor

CVE-2026-45700 — FreeRDP is a free implementation of the Remote Desktop Protocol (9.8 CRITICAL)
CVE-2026-44421 — FreeRDP is a free implementation of the Remote Desktop Protocol (8.8 HIGH)
CVE-2026-44420 — FreeRDP is a free implementation of the Remote Desktop Protocol (8.8 HIGH)
CVE-2026-40033 — FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bo... (8.8 HIGH)

Same CWE

CVE-2026-53462 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.9 MEDIUM)
CVE-2026-46523 — ImageMagick is free and open-source software used for editing and manipulating digital images (6.2 MEDIUM)
CVE-2026-52757 — Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable me... (4.4 MEDIUM)
CVE-2026-49496 — Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when... (6.1 MEDIUM)
CVE-2026-45782 — Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads