CVE-2026-22856
Published: 14 January 2026
Summary
CVE-2026-22856 is a high-severity Race Condition (CWE-362) vulnerability in Freerdp Freerdp. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of software flaws like the heap use-after-free race condition in FreeRDP prior to version 3.20.1.
Enables proactive detection of the CVE-2026-22856 vulnerability through regular vulnerability scanning of FreeRDP components.
Provides memory protection mechanisms that mitigate exploitation of the heap use-after-free vulnerability triggered by the serial channel race condition.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap UAF in FreeRDP serial channel enables remote exploitation of RDP service for RCE (AV:N).
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability…
more
is fixed in 3.20.1.
Deeper analysisAI
CVE-2026-22856 is a heap use-after-free vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The issue stems from a race condition in the serial channel IRP thread tracking, where one thread removes an entry from serial->IrpThreads while another thread reads it. This affects FreeRDP versions prior to 3.20.1 and is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free), with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability over the network without privileges or user interaction, though it requires high attack complexity. Successful exploitation could lead to high-impact consequences, including unauthorized disclosure of sensitive information, modification of data, and denial of service, potentially enabling arbitrary code execution via the heap use-after-free.
The FreeRDP security advisory (GHSA-w842-c386-fxhv) and release notes for version 3.20.1 confirm that the vulnerability is fixed in 3.20.1. Security practitioners should update to FreeRDP 3.20.1 or later to mitigate the issue.
Details
- CWE(s)