How is CVE-2026-44420 exploited?

Network reachability (required): The attacker must reach the FreeRDP server over the network on its RDP listener (AV:N). Authentication (required): A low-privilege RDP session is needed; any client that can complete the connection and reach the cliprdr channel qualifies (PR:L). Victim interaction (not-required): No user action on the server side is needed; the malicious client drives the exploit alone (UI:N). Attack complexity (info): Attack complexity is low: the malformed CB_CLIP_CAPS PDU triggers the overflow reliably without race or layout conditions (AC:L).

What is the impact of CVE-2026-44420?

Crashes the FreeRDP server process, dropping all active RDP sessions on that host. Corrupts heap memory in the server, opening a realistic path to remote code execution under the FreeRDP server's privileges. Reads and modifies in-process memory adjacent to the overflow, including session state and clipboard buffers for connected users. Disrupts availability of any service that exposes FreeRDP-based remote desktop or screen-sharing to clients.

Back to search

HIGHCVE-2026-44420Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-44420: FreeRDP cliprdr server heap-buffer-overflow via undersized capabilitySetLength in CB_CLIP_CAPS

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A heap-based buffer overflow in FreeRDP's server-side clipboard (cliprdr) channel lets a malicious RDP client send a CB_CLIP_CAPS message with an undersized capabilitySetLength, corrupting memory on the server. The bug is reached over the network and requires only a low-privilege RDP session (any client that can complete the handshake), with no victim interaction. Successful exploitation crashes the server process and may allow remote code execution through heap corruption; a patched-image rebuild at FreeRDP 3.26.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against FreeRDP binaries and libraries in customer registries, pipelines, and custom-built images. Coverage includes downstream images that bundle FreeRDP as a transitive dependency.

Available

Triage

Findings are scored using the published CVSS 8.8 (HIGH) and re-weighted against each customer's compliance policy, so RDP-exposed workloads escalate faster than internal-only ones. Routing sends the issue to the inbox configured for high-severity remote code execution risks inside each customer org.

Available

Patch

A patched-image rebuild at FreeRDP 3.26.0 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is produced, the regression suite is run, and a PR is opened against workloads pinned to vulnerable versions.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the FreeRDP server over the network on its RDP listener (AV:N).
AuthenticationRequired
A low-privilege RDP session is needed; any client that can complete the connection and reach the cliprdr channel qualifies (PR:L).
Victim interactionNot required
No user action on the server side is needed; the malicious client drives the exploit alone (UI:N).
Attack complexityDetail
Attack complexity is low: the malformed CB_CLIP_CAPS PDU triggers the overflow reliably without race or layout conditions (AC:L).

Blast Radius

Crashes the FreeRDP server process, dropping all active RDP sessions on that host.
Corrupts heap memory in the server, opening a realistic path to remote code execution under the FreeRDP server's privileges.
Reads and modifies in-process memory adjacent to the overflow, including session state and clipboard buffers for connected users.
Disrupts availability of any service that exposes FreeRDP-based remote desktop or screen-sharing to clients.

How HarborGuard Handles This

Available on HarborGuard: rebuilt FreeRDP images at 3.26.0 are published for affected environments, and customers with auto-remediation enabled receive an automated rebuild, regression-test run, and PR opened against workloads still pinned to vulnerable versions. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments. Where compliance policy blocks auto-merge, HarborGuard still surfaces the rebuilt image and suggests compensating controls such as restricting RDP exposure to trusted networks and disabling the clipboard channel until the patch lands.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

FreeRDP / FreeRDP
< 3.26.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvpx-xj7r-3p3r