- Description
- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- freerdp
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-415
- Hype score
- Not currently trending
Some increased actor activities are shown targeting FreeRDP (CVE-2026-44422) https://t.co/MWDL0xzjY4
@vuldb
30 May 2026
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-44422 Heap Use-After-Free in FreeRDP RDPEAR NDR Parser Prior to... https://t.co/7gn4if10ia Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd
@VulmonFeeds
30 May 2026
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "186FAA8A-CF9D-40F3-8509-DAC168BFDA2F",
"versionEndExcluding": "3.26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]