CVE-2026-44420
Heap-Buffer-Overflow in FreeRDP Clipboard Channel
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44420 is a heap-buffer-overflow vulnerability in FreeRDP's server-side clipboard (cliprdr) channel. A malicious Remote Desktop Protocol (RDP) client can exploit this by sending a CB_CLIP_CAPS PDU with an undersized capabilitySetLength value, which causes a heap overflow write.
Specifically, the vulnerability occurs because the server allocates a heap buffer based on the client-controlled capabilitySetLength but then writes a fixed-size structure larger than the allocated buffer, leading to an out-of-bounds write. This can crash the server process or potentially allow code execution by corrupting heap memory.
This issue affects FreeRDP versions up to 3.25.0 and was fixed in version 3.26.0.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including crashing the FreeRDP server process remotely, resulting in a denial of service (DoS).
More critically, because the heap memory is corrupted, an attacker may be able to execute arbitrary code on the server, potentially gaining control over the affected system.
The vulnerability has a high CVSS score of 8.8, indicating a high severity with impacts on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by a malicious RDP client sending a CB_CLIP_CAPS PDU with an undersized capabilitySetLength value to a FreeRDP server. Detection would involve monitoring RDP traffic for anomalous or malformed CB_CLIP_CAPS PDUs, specifically those with unusually small capabilitySetLength values.
Since the vulnerability involves heap-buffer-overflow caused by a capabilitySetLength smaller than expected, network intrusion detection systems (NIDS) or packet inspection tools could be configured to flag CB_CLIP_CAPS PDUs with capabilitySetLength values less than the expected size (less than 12 bytes).
However, no specific detection commands or signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade FreeRDP to version 3.26.0 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider restricting or monitoring RDP client connections to the FreeRDP server to prevent potentially malicious clients from sending malformed CB_CLIP_CAPS PDUs.
Additionally, applying network-level protections such as firewall rules or intrusion detection/prevention systems to detect and block suspicious RDP clipboard channel traffic may help reduce exposure.