Skip to main content

FreeRDP EUVDEUVD-2026-33434

| CVE-2026-44422 HIGH
Use After Free (CWE-416)
2026-05-29 GitHub_M
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-delivered by a malicious server (AV:N) with deterministic ref-id reuse (AC:L) and no attacker auth (PR:N), but requires the victim to connect (UI:R); memory corruption yields high C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 30, 2026 - 04:16 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:15 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:15 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 8.8 (HIGH)
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:31 vuln.today

DescriptionNVD

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

AnalysisAI

Heap use-after-free/double-free in the FreeRDP RDP client (versions prior to 3.26.0) lets a malicious or compromised RDP server corrupt client memory through the RDPEAR authentication-redirection path. The flaw stems from the RDPEAR NDR parser reusing a single non-null pointer ref-id across multiple logical fields, causing the same heap object to be assigned to two outputs and freed twice by the generic destructor. There is no public exploit beyond a proof-of-concept (SSVC: poc), and EPSS exploitation probability is very low (0.05%), but the SSVC technical impact is rated total and a vendor fix is available.

Technical ContextAI

FreeRDP implements Microsoft's Remote Desktop Protocol. The vulnerable component is the RDPEAR (Remote Credential Guard / authentication-redirection) channel, which uses NDR (Network Data Representation) marshalling - the same RPC serialization format used in DCE/RPC and many Windows protocols. NDR pointers carry a ref-id that should uniquely identify each pointed-to object. The parser here does not track an object's expected NDR type or ownership per ref-id, so when a server sends one ref-id for two distinct logical pointer fields, both output fields end up referencing one heap allocation. This is a classic CWE-416 (Use After Free), manifesting as a double-free when the generic destructor independently walks and frees each field, and as a use-after-free if the freed object is reused before the second free.

RemediationAI

Vendor-released patch: upgrade FreeRDP to version 3.26.0 or later, which fixes the RDPEAR NDR pointer ref-id handling; this is the primary and recommended remediation per advisory GHSA-j9q5-7g8m-jc9v. For environments that cannot immediately update the library, the practical compensating control is to avoid connecting FreeRDP clients to untrusted or unverified RDP servers and to restrict outbound RDP (TCP 3389) to known, trusted endpoints, since the attack requires the client to reach a malicious server - the trade-off is reduced connectivity flexibility for users who legitimately connect to varied hosts. Where RDPEAR/Remote Credential Guard authentication redirection is not required, disabling or not negotiating that capability removes the vulnerable code path, at the cost of losing credential-redirection functionality. Distribution users should track and apply their vendor's backported package (e.g. Red Hat via https://access.redhat.com/security/cve/CVE-2026-44422). Do not rely on workarounds long-term; upgrade to 3.26.0.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

EUVD-2026-33434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy