How is CVE-2026-44422 exploited?

Network reachability (required): The client must connect over the network to a server controlled by the attacker for the malicious RDPEAR messages to be parsed. Authentication (not-required): The malicious server does not need any credentials on the victim client to send the crafted NDR pointer fields. Victim interaction (required): A user must initiate or accept an RDP connection to the attacker's server, so the vector relies on luring the client to connect. Attack complexity (info): Attack complexity is High: reliable exploitation depends on heap layout and timing around the double-free and type confusion.

What is the impact of CVE-2026-44422?

Corrupts heap memory in the FreeRDP client process, enabling type confusion that an attacker can steer toward arbitrary code execution under the user running the RDP client. Reads memory contents reachable from the freed objects, including authentication material handled in the RDPEAR redirection path. Modifies in-process state by reusing the aliased pointer, letting the malicious server influence subsequent client behavior. Crashes the FreeRDP client through the double-free, disrupting the user's remote session.

Back to search

HIGHCVE-2026-44422Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-44422: FreeRDP RDPEAR NDR ref-id aliasing causes client-side UAF/double-free and type confusion

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A heap use-after-free and double-free in FreeRDP's RDPEAR NDR parser lets a malicious RDP server corrupt memory in the connecting client. Reaching the bug requires the client to connect to an attacker-controlled server (network vector with required user interaction), no authentication needed, and successful exploitation can lead to code execution or crash of the client process with full read, modify, and disrupt impact. A patched-image rebuild at FreeRDP 3.26.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against FreeRDP binaries and libraries in customer registries and CI pipelines, including custom-built images.

Available

Triage

Triage is available with the published CVSS v3.1 score of 7.5 (High) weighted against each customer's compliance policy, so the finding is routed to the appropriate inbox inside each org based on exposure of RDP client workloads and remediation SLAs.

Available

Patch

A patched-image rebuild at FreeRDP 3.26.0 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is generated, run through regression tests, and a PR is opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The client must connect over the network to a server controlled by the attacker for the malicious RDPEAR messages to be parsed.
AuthenticationNot required
The malicious server does not need any credentials on the victim client to send the crafted NDR pointer fields.
Victim interactionRequired
A user must initiate or accept an RDP connection to the attacker's server, so the vector relies on luring the client to connect.
Attack complexityDetail
Attack complexity is High: reliable exploitation depends on heap layout and timing around the double-free and type confusion.

Blast Radius

Corrupts heap memory in the FreeRDP client process, enabling type confusion that an attacker can steer toward arbitrary code execution under the user running the RDP client.
Reads memory contents reachable from the freed objects, including authentication material handled in the RDPEAR redirection path.
Modifies in-process state by reusing the aliased pointer, letting the malicious server influence subsequent client behavior.
Crashes the FreeRDP client through the double-free, disrupting the user's remote session.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at FreeRDP 3.26.0 is published the moment the fix lands in upstream feeds, and for customers who opt into auto-remediation the rebuild is regression-tested and proposed as a PR against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy delays the rebuild, suggested compensating controls include restricting outbound RDP connections via network policy and only initiating RDP sessions to trusted, known-good servers until the upgrade lands.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

FreeRDP / FreeRDP
< 3.26.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v