CVE-2026-22852
Published: 14 January 2026
Summary
CVE-2026-22852 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-17 (Remote Access).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of software flaws like the heap buffer overflow in FreeRDP prior to version 3.20.1.
Implements memory protections such as address space layout randomization and non-executable memory to mitigate heap buffer overflow corruption and exploitation.
Authorizes and manages remote access sessions including RDP to prevent FreeRDP clients from connecting to malicious servers sending exploitable AUDIN format lists.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow in FreeRDP client enables remote exploitation for code execution (or DoS) when connecting to a malicious RDP server, directly mapping to client-side exploitation technique.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs…
more
and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
Deeper analysisAI
CVE-2026-22852 is a heap-buffer-overflow write vulnerability (CWE-787) in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting client versions prior to 3.20.1. The issue arises when processing Audio Input (AUDIN) format lists sent by a malicious RDP server. Specifically, the audin_process_formats function reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs, resulting in writes past the newly allocated formats array, which causes memory corruption and a crash in the FreeRDP client.
An unauthenticated attacker can exploit this vulnerability remotely by operating a malicious RDP server that a victim client connects to, with low attack complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation leads to memory corruption in the client, resulting in a denial-of-service crash, with potential for high-impact confidentiality, integrity, and availability effects.
The vulnerability is addressed in FreeRDP version 3.20.1. Mitigation involves updating to this patched release. Additional details are available in the FreeRDP security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 and the release notes at https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1.
Details
- CWE(s)