Cyber Resilience

CVE-2026-22852

MediumPublic PoC

Published: 14 January 2026

Published
14 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22852 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-17 (Remote Access).

Deeper analysis

CVE-2026-22852 is a heap-buffer-overflow write vulnerability (CWE-787) in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting client versions prior to 3.20.1. The issue arises when processing Audio Input (AUDIN) format lists sent by a malicious RDP server. Specifically, the audin_process_formats function reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs, resulting in writes past the newly allocated formats array, which causes memory corruption and a crash in the FreeRDP client.

An unauthenticated attacker can exploit this vulnerability remotely by operating a malicious RDP server that a victim client connects to, with low attack complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation leads to memory corruption in the client, resulting in a denial-of-service crash, with potential for high-impact confidentiality, integrity, and availability effects.

The vulnerability is addressed in FreeRDP version 3.20.1. Mitigation involves updating to this patched release. Additional details are available in the FreeRDP security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 and the release notes at https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs…

more

and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap overflow in FreeRDP client enables remote exploitation for code execution (or DoS) when connecting to a malicious RDP server, directly mapping to client-side exploitation technique.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26955Same product: Freerdp Freerdp
CVE-2026-26965Same product: Freerdp Freerdp
CVE-2026-29774Same product: Freerdp Freerdp
CVE-2026-29775Same product: Freerdp Freerdp
CVE-2026-25952Same product: Freerdp Freerdp
CVE-2026-22859Same product: Freerdp Freerdp
CVE-2026-31883Same product: Freerdp Freerdp
CVE-2026-33986Same product: Freerdp Freerdp
CVE-2026-23530Same product: Freerdp Freerdp
CVE-2026-33987Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.20.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of software flaws like the heap buffer overflow in FreeRDP prior to version 3.20.1.

prevent

Implements memory protections such as address space layout randomization and non-executable memory to mitigate heap buffer overflow corruption and exploitation.

AC-17 Remote Access partial match
prevent

Authorizes and manages remote access sessions including RDP to prevent FreeRDP clients from connecting to malicious servers sending exploitable AUDIN format lists.

References