HIGH 7.5

CVE-2026-44422: FreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)

FreeRDP, a widely-used open-source Remote Desktop Protocol client, contains a memory corruption vulnerability in its authentication-redirection subsystem. A malicious RDP server can craft specially-formed authentication data that causes the FreeRDP client to allocate a single heap object but then attempt to free it twice—or use it after the first deallocation. This occurs because the parser doesn't properly track which heap objects correspond to which data structures when the same object reference is reused. The result is a crash or potential code execution on the client machine. The vulnerability requires user interaction (connecting to a malicious server) but affects all FreeRDP versions before 3.26.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-415, CWE-416, CWE-825
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-30

NVD description (verbatim)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The RDPEAR (Remote Desktop Protocol Extended Audio Redirection) NDR (Network Data Representation) parser in FreeRDP fails to validate object identity and ownership when multiple pointer fields reference the same heap object via a shared ref-id. The parser does not track the expected NDR type for dereferenced pointers or enforce one-to-one mapping between ref-ids and their pointed objects. When a malicious server sends a crafted authentication packet containing duplicate ref-ids across logically distinct pointer fields, both fields receive assignments to the same heap allocation. During cleanup, the generic destructor invokes separate delete/free operations on each field pointer without reference counting, resulting in a double-free or use-after-free condition. The vulnerability manifests in the authentication-redirection code path, which processes server responses before the user is fully authenticated.

Business impact

Organizations relying on FreeRDP for secure remote access—including Linux desktops, thin clients, and automated RDP clients—face credential compromise, session hijacking, or client-side code execution if users connect to attacker-controlled or compromised RDP servers. The vulnerability is particularly critical for businesses using FreeRDP in security-sensitive environments such as jump hosts, bastion servers, or remote access gateways, where a compromised client can serve as a pivot point. Enterprises must prioritize patching to prevent attackers from leveraging malicious RDP infrastructure to gain foothold access. The requirement for user interaction (initiating a connection) reduces the likelihood of mass worm-like propagation but does not eliminate risk in targeted scenarios.

Affected systems

All FreeRDP versions prior to 3.26.0 are affected. This includes long-standing releases commonly deployed in enterprise and open-source Linux distributions. FreeRDP is packaged in major Linux distributions (Ubuntu, Debian, Red Hat, SUSE) and is used in Remmina (a popular RDP client for Linux desktops), GNOME Connections, and numerous thin-client and remote-access appliance manufacturers. Mobile and web-based RDP clients using FreeRDP as a backend library are also in scope. Verify the specific version bundled in your environment and cross-reference against vendor release notes.

Exploitability

Exploitation requires a user to initiate an RDP connection to an attacker-controlled or compromised server, making this a classic 'malicious-server' attack vector. The CVSS score of 7.5 (HIGH) reflects high impact (confidentiality, integrity, availability) but elevated attack complexity (AC:H) and the requirement for user interaction (UI:R). An attacker cannot remotely trigger the vulnerability without the user's participation. However, in environments where users routinely connect to untrusted or semi-trusted RDP servers, or where an attacker has compromised a legitimate RDP gateway, the user-interaction barrier becomes minimal. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation in the wild as of the published date, but this does not preclude rapid exploitation post-disclosure.

Remediation

Upgrade FreeRDP to version 3.26.0 or later. Users should verify patch availability for their specific platform: check official Linux distribution repositories, the FreeRDP GitHub repository (https://github.com/FreeRDP/FreeRDP), and any downstream applications bundling FreeRDP (Remmina, GNOME Connections, etc.). For organizations unable to patch immediately, restrict RDP client connections to known-good, internal RDP servers and disable unauthenticated or guest access to RDP gateways. Monitor for unexpected RDP connection failures or crashes, which may indicate exploitation attempts.

Patch guidance

FreeRDP 3.26.0 includes the upstream fix. Check your distribution's package repositories (apt, yum, zypper, pacman) for version availability. Users of Remmina, GNOME Connections, or other RDP-dependent applications should also check those projects' release schedules; they may lag behind FreeRDP's upstream releases. If your platform does not yet offer version 3.26.0, consult your vendor's security advisory for backport information. Verify the patch by checking the installed FreeRDP version using `freerdp-pkg-config --version` or examining version strings in dependent application logs. Test RDP connectivity after patching to confirm no regression.

Detection guidance

Monitor FreeRDP logs and system-level indicators for signs of exploitation: heap corruption warnings, segmentation faults in FreeRDP client processes, and unexpected RDP connection terminations during authentication phases. Enable address sanitizer (ASAN) in development or test environments to detect double-free and use-after-free conditions more reliably. Network-side detection is difficult because the malicious payload is encrypted within the RDP TLS session, but intrusion detection systems can flag unusual RDP authentication patterns or connections from suspicious IP ranges. Correlate FreeRDP process crashes with recent RDP connection attempts to identify potential attacks. Review RDP server logs to identify clients connecting to non-standard or untrusted endpoints.

Why prioritize this

HIGH severity due to memory corruption leading to potential code execution, combined with widespread FreeRDP deployment in enterprise remote-access and Linux desktop environments. Although exploitation requires user interaction and no public exploitation has been confirmed, the ease of hosting a malicious RDP server and the high business impact of client-side compromise warrant immediate patch deployment. Organizations should prioritize this within 30 days, particularly for systems used by privileged users or those connecting to external or semi-trusted RDP servers.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects: (1) high impact across confidentiality, integrity, and availability; (2) network-based attack vector requiring no special privileges; (3) elevated complexity due to the need for precise NDR pointer manipulation; (4) requirement for user interaction (initiating the RDP connection); and (5) user-scoped impact (single authenticated session, not system-wide). The score correctly penalizes the user-interaction requirement while acknowledging the severity of memory corruption. The absence of KEV designation reflects lack of confirmed active exploitation but does not reduce the intrinsic risk. Organizations should treat this as a high-priority patch target given FreeRDP's pervasive use.

Frequently asked questions

Can this vulnerability be exploited without a user connecting to a malicious RDP server?

No. The vulnerability is triggered only when a FreeRDP client connects to an attacker-controlled or compromised RDP server that sends a specially-crafted authentication packet. The user must initiate the connection; the attacker cannot remotely trigger it.

What versions of FreeRDP are affected?

All versions prior to 3.26.0 are affected. Version 3.26.0 and later include the fix. Check your distribution's package manager or the FreeRDP GitHub repository to confirm your installed version.

If I patch FreeRDP, do I need to patch Remmina, GNOME Connections, or other RDP clients separately?

No. These applications depend on the FreeRDP library. Patching FreeRDP itself (usually via your distribution's package manager) will fix the vulnerability in all dependent applications. However, verify that your distribution offers FreeRDP 3.26.0; some may take time to rebuild and distribute it.

What is the difference between this vulnerability's CWEs?

CWE-415 and CWE-416 describe double-free and use-after-free memory errors, respectively. CWE-825 (Expired Pointer Dereference) covers the broader category of problems with object lifetime management. Together, they reflect the root cause: improper tracking of heap object ownership across multiple pointer fields.

This analysis is based on publicly available vulnerability data as of the date of publication. SEC.co does not provide warranty of patch availability, version numbers, or timelines for specific vendors or distributions. Readers must verify patch status against official vendor advisories and their own environment's package repositories. This explainer is for informational purposes and does not constitute professional security advice; organizations should consult their own security teams and vendor guidance for deployment decisions. Exploitation scenarios are illustrative; actual attack feasibility may vary by network architecture and security controls. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).