Cyber Resilience

CVE-2026-22856

MediumPublic PoC

Published: 14 January 2026

Published
14 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22856 is a medium-severity Race Condition (CWE-362) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-22856 is a heap use-after-free vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The issue stems from a race condition in the serial channel IRP thread tracking, where one thread removes an entry from serial->IrpThreads while another thread reads it. This affects FreeRDP versions prior to 3.20.1 and is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free), with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability over the network without privileges or user interaction, though it requires high attack complexity. Successful exploitation could lead to high-impact consequences, including unauthorized disclosure of sensitive information, modification of data, and denial of service, potentially enabling arbitrary code execution via the heap use-after-free.

The FreeRDP security advisory (GHSA-w842-c386-fxhv) and release notes for version 3.20.1 confirm that the vulnerability is fixed in 3.20.1. Security practitioners should update to FreeRDP 3.20.1 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability…

more

is fixed in 3.20.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Heap UAF in FreeRDP serial channel enables remote exploitation of RDP service for RCE (AV:N).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23732Same product: Freerdp Freerdp
CVE-2026-24677Same product: Freerdp Freerdp
CVE-2026-25952Same product: Freerdp Freerdp
CVE-2026-24681Same product: Freerdp Freerdp
CVE-2026-24678Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-22857Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-25953Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.20.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely identification, reporting, and correction of software flaws like the heap use-after-free race condition in FreeRDP prior to version 3.20.1.

detect

Enables proactive detection of the CVE-2026-22856 vulnerability through regular vulnerability scanning of FreeRDP components.

prevent

Provides memory protection mechanisms that mitigate exploitation of the heap use-after-free vulnerability triggered by the serial channel race condition.

References