CVE-2026-44422
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
In FreeRDP before 3.26.0, the RDPEAR NDR parser fails to track pointer references correctly, allowing a server to assign the same heap object to two pointer fields. This leads to a double-free or use-after-free vulnerability in the client's RDPEAR authentication-redirection path.
Risk Assessment
A malicious RDP server can remotely exploit this vulnerability to compromise the FreeRDP client, potentially leading to arbitrary code execution or system crash.
Recommendation
Upgrade FreeRDP to version 3.26.0 or later immediately, which fixes the double-free and use-after-free in the NDR parser.
Original NVD description (English source)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

