CVE-2026-44420 FreeRDP CVE debrief

Who should care

Organizations running FreeRDP-based RDP servers, particularly those exposed to untrusted networks or multi-tenant environments where client trust cannot be guaranteed. This vulnerability is especially concerning for service providers using FreeRDP in gateway or bastion host scenarios.

Technical summary

The vulnerability resides in FreeRDP's implementation of the server-side clipboard channel (cliprdr). The CB_CLIP_CAPS PDU (Clipboard Capabilities PDU) contains a capabilitySetLength field that is not properly validated. When a malicious client sends this PDU with a capabilitySetLength value smaller than expected, it causes a heap-buffer-overflow write. This memory corruption can lead to server process termination (remote DoS) and potentially arbitrary code execution within the context of the server process. The attack requires network access to the RDP server and valid low-privilege authentication, but no user interaction.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FreeRDP to version 3.26.0 or later to remediate this vulnerability
• Restrict RDP server access to trusted clients only as a temporary mitigation
• Monitor for anomalous RDP client connections and clipboard channel activity
• Review application logs for unexpected server process crashes that may indicate exploitation attempts

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry, which reference GitHub Security Advisory GHSA-mvpx-xj7r-3p3r. The CVSS 3.1 score of 8.8 (HIGH) reflects network attack vector, low attack complexity, low privileges required, and high impact to confidentiality, integrity, and availability. CWE-122 (Heap-based Buffer Overflow) is the identified weakness.

Official resources