CVE-2026-44422

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.26.0

Description The RDPEAR NDR parser in FreeRDP accepts a single non-null NDR pointer ref-id for multiple logical pointer fields without tracking the expected NDR type or ownership of the pointed object. If the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. Subsequently, the generic destructor processes each field independently, leading to a heap use-after-free or double-free condition in the client's RDPEAR authentication-redirection path, which can be triggered by a malicious server.

Recommendations Update to version 3.26.0.