CVE-2026-22853
Published: 14 January 2026
Summary
CVE-2026-22853 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-22853 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. Prior to version 3.20.1, the RDPEAR component's NDR array reader fails to perform bounds checking on the on-wire element count, allowing it to write past the heap buffer allocated based on hints. This issue, classified under CWE-787 (Out-of-bounds Write), affects the ndr_read_uint8Array function and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious RDP traffic, the attacker can trigger the buffer overflow, potentially achieving high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution on the target system processing the FreeRDP client or server.
The vulnerability is addressed in FreeRDP version 3.20.1, as detailed in the project's release notes and security advisory. Security practitioners should update to this version or later to mitigate the issue, per the guidance in the GitHub release at https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 and advisory GHSA-47v9-p4gp-w5ch at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2674
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap…
more
buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in FreeRDP's RDP handling (RDPEAR/NDR) directly enables remote unauthenticated exploitation of public-facing RDP services or remote desktop endpoints, mapping to T1190 (public-facing app) and T1210 (remote services).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws through patching FreeRDP to version 3.20.1 or later, directly eliminating the heap buffer overflow vulnerability.
Implements memory protections such as ASLR and DEP that prevent successful exploitation of heap buffer overflows even if the vulnerability exists.
Enforces validation and bounds checking of untrusted network inputs like RDP traffic element counts to prevent out-of-bounds writes in NDR array parsing.