PatchSiren cyber security CVE debrief

CVE-2026-44422 FreeRDP CVE debrief

## Summary FreeRDP versions prior to 3.26.0 contain a heap use-after-free/double-free vulnerability in the RDPEAR NDR parser. A malicious RDP server can trigger memory corruption by reusing the same non-null NDR pointer reference ID across multiple logical pointer fields, causing the parser to assign the same heap object to multiple output fields. The generic destructor then independently frees both pointers, leading to use-after-free or double-free conditions during RDPEAR authentication-redirection processing. ## Technical Details The vulnerability stems from improper pointer reference tracking in FreeRDP's Network Data Representation (NDR) parser for RDPEAR (Remote Desktop Protocol Authentication Extension for Redirection). The parser accepts a single non-null NDR pointer ref-id for multiple logical pointer fields without validating: - The expected NDR type of the pointed object - Ownership semantics for the referenced object When identical ref-ids are reused across distinct pointer fields, the parser performs shallow assignment of the same heap-allocated object to multiple output structures. During cleanup, the generic destructor iterates through each field independently and invokes the destructor/free operation on both pointers, resulting in double-free or subsequent use-after-free access. This vulnerability is reachable through the client-side RDPEAR authentication-redirection code path, requiring interaction with a malicious or compromised RDP server. ## Affected Versions - FreeRDP: versions prior to 3.26.0 ## Fixed Versions - FreeRDP: 3.26.0 and later ## CVSS Assessment - **Score**: 7.5 (HIGH) - **Vector**: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - **Attack Vector**: Network - **Attack Complexity**: High - **Privileges Required**: None - **User Interaction**: Required - **Scope**: Unchanged - **Impact**: High confidentiality, integrity, and availability impact The HIGH severity reflects the potential for remote code execution through heap memory corruption, though exploitation requires user interaction (connecting to a malicious server) and high attack complexity. ## Detection and Mitigation ### Detection Considerations - Monitor for anomalous RDP连接

Vendor: FreeRDP
Product: Unknown
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations using FreeRDP clients for remote desktop connectivity, particularly those connecting to external or untrusted RDP servers. Security teams responsible for endpoint protection and vulnerability management in environments with RDP client deployments.

Technical summary

The FreeRDP RDPEAR NDR parser fails to track pointer ownership when the same ref-id is reused across multiple pointer fields, enabling malicious-server-triggered heap corruption through double-free or use-after-free conditions. Fixed in FreeRDP 3.26.0.

Defensive priority

HIGH

Recommended defensive actions

Upgrade FreeRDP to version 3.26.0 or later to address the RDPEAR NDR parser vulnerability
Restrict RDP client connections to trusted, authenticated servers only
Monitor for FreeRDP security updates and apply patches promptly
Consider network segmentation to limit exposure of RDP client systems to untrusted networks
Review and validate RDP server certificates to reduce risk of man-in-the-middle attacks

Evidence notes

Vulnerability description derived from official CVE record and GitHub Security Advisory. CVSS vector and scoring from NVD source data. Fix version and affected component details from vendor security advisory.

Official resources

2026-05-29