CVE-2026-44422

HIGH 7.5

FreeRDP RDPEAR NDR ref-id aliasing causes client-side UAF/double-free and type confusion

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

15th

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

CWE	CWE-416 CWE-415
Vendor	freerdp
Product	freerdp
Published	May 29, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for freerdp freerdp

Be the first to know when new high vulnerabilities affecting freerdp freerdp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

FreeRDP / FreeRDP

< 3.26.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v