CVE-2026-44422
Analyzed Analyzed - Analysis Complete
Heap Use-After-Free in FreeRDP Client

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44422
EUVD
EUVD-2026-33434
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FreeRDP's RDPEAR NDR parser, which improperly handles non-null NDR pointer ref-ids. When the same ref-id is reused across multiple pointer fields, the parser assigns the same heap object to these fields without tracking the object's expected type or ownership.

As a result, when the generic destructor later processes these fields independently, it frees the same memory twice, causing a heap use-after-free and double-free condition. This can lead to client-side memory corruption.

Additionally, the vulnerability allows cross-type aliasing, where one object type can be misinterpreted as another, causing heap out-of-bounds reads and type confusion.

An attacker can exploit this by sending malicious RDPEAR NDR data to a FreeRDP client, triggering these memory corruption issues.

Impact Analysis

This vulnerability can cause client-side memory corruption in the FreeRDP client, which may lead to instability or crashes.

While it does not guarantee reliable remote code execution, the memory corruption could potentially be leveraged by an attacker to execute arbitrary code or cause denial of service.

Exploitation requires user interaction and involves network-based attacks with high complexity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your FreeRDP client to version 3.26.0 or later, where the issue has been fixed.

Avoid using vulnerable versions of FreeRDP (up to 3.25.0) especially when connecting to untrusted or potentially malicious servers.

Since the vulnerability requires user interaction and involves network-based attacks, exercising caution when connecting to unknown Remote Desktop servers can reduce risk.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart