cbcvebase.
CVE-2026-44420
published 2026-05-29

CVE-2026-44420: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.47%
87.6th percentile
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
freerdpfreerdp< 3.26.03.26.0
freerdpfreerdp

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: malicious RDP client sends a CB_CLIP_CAPS PDU with a too-small capabilitySetLength to the server-side clipboard (cliprdr) channel, causing a heap-buffer-overflow write
  • Monitor FreeRDP server processes for unexpected crashes or heap corruption, which may indicate exploitation of the cliprdr channel heap-buffer-overflow
  • Inspect RDP clipboard channel (cliprdr) traffic for CB_CLIP_CAPS PDUs where capabilitySetLength is smaller than expected — anomalously small values are the exploit primitive
  • ·Vulnerability only affects FreeRDP acting as a server (server-side clipboard channel); FreeRDP client-side deployments are not the attack surface here
  • ·Fixed in FreeRDP 3.26.0; all prior versions are vulnerable. Red Hat Enterprise Linux 6 is out of support scope; RHEL 7, 8, 9, and 10 are listed as affected
  • ·Exploitation requires an authenticated remote attacker (authenticated RDP session), not unauthenticated access

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.