CVE-2026-44420
published 2026-05-29CVE-2026-44420: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.47%
87.6th percentile
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freerdp | freerdp | < 3.26.0 | 3.26.0 |
| freerdp | freerdp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: malicious RDP client sends a CB_CLIP_CAPS PDU with a too-small capabilitySetLength to the server-side clipboard (cliprdr) channel, causing a heap-buffer-overflow write ↗
- →Monitor FreeRDP server processes for unexpected crashes or heap corruption, which may indicate exploitation of the cliprdr channel heap-buffer-overflow ↗
- →Inspect RDP clipboard channel (cliprdr) traffic for CB_CLIP_CAPS PDUs where capabilitySetLength is smaller than expected — anomalously small values are the exploit primitive ↗
- ·Vulnerability only affects FreeRDP acting as a server (server-side clipboard channel); FreeRDP client-side deployments are not the attack surface here ↗
- ·Fixed in FreeRDP 3.26.0; all prior versions are vulnerable. Red Hat Enterprise Linux 6 is out of support scope; RHEL 7, 8, 9, and 10 are listed as affected ↗
- ·Exploitation requires an authenticated remote attacker (authenticated RDP session), not unauthenticated access ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FreeRDP up to 3.25.x CB_CLIP_CAPS PDU capabilitySetLength heap-based overflow (GHSA-mvpx-xj7r-3p3r / EUVD-2026-33435)
vuldb·2026-05-30·CVSS 8.8
CVE-2026-44420 [HIGH] FreeRDP up to 3.25.x CB_CLIP_CAPS PDU capabilitySetLength heap-based overflow (GHSA-mvpx-xj7r-3p3r / EUVD-2026-33435)
A vulnerability, which was classified as critical, was found in FreeRDP up to 3.25.x. This impacts an unknown function of the component CB_CLIP_CAPS PDU Handler. Such manipulation of the argument capabilitySetLength leads to heap-based buffer overflow.
This vulnerability is documented as CVE-2026-44420. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
Red Hat
freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow
vendor_redhat·2026-05-29·CVSS 8.8
CVE-2026-44420 [HIGH] CWE-131 freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow
freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
A heap-buffer overflow vulnerability exists in the FreeRDP server's clipboard channel. A remote attacker can exploit this by sending a specially crafted message to the server, which can crash the service (Denial of Service) or potentially allow the attacker to execute arbitrary c
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44420 freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [fedora-all]
bugzilla·2026-06-23·CVSS 8.8
CVE-2026-44420 [HIGH] CVE-2026-44420 freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [fedora-all]
CVE-2026-44420 freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44420 freerdp2: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [epel-all]
bugzilla·2026-06-23·CVSS 8.8
CVE-2026-44420 [HIGH] CVE-2026-44420 freerdp2: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [epel-all]
CVE-2026-44420 freerdp2: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44420 freerdp2: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [fedora-all]
bugzilla·2026-06-23·CVSS 8.8
CVE-2026-44420 [HIGH] CVE-2026-44420 freerdp2: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [fedora-all]
CVE-2026-44420 freerdp2: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44420 freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow
bugzilla·2026-05-29·CVSS 8.8
CVE-2026-44420 [HIGH] CVE-2026-44420 freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow
CVE-2026-44420 freerdp: FreeRDP: Arbitrary code execution and denial of service via heap-buffer-overflow
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvpx-xj7r-3p3rhttps://access.redhat.com/security/cve/CVE-2026-44420https://bugzilla.redhat.com/show_bug.cgi?id=2483480https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h6wq-j5mv-f3q8https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44420.json
2026-05-29
Published