CVE-2026-22856
Published: 14 January 2026
Summary
CVE-2026-22856 is a medium-severity Race Condition (CWE-362) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-22856 is a heap use-after-free vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The issue stems from a race condition in the serial channel IRP thread tracking, where one thread removes an entry from serial->IrpThreads while another thread reads it. This affects FreeRDP versions prior to 3.20.1 and is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free), with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability over the network without privileges or user interaction, though it requires high attack complexity. Successful exploitation could lead to high-impact consequences, including unauthorized disclosure of sensitive information, modification of data, and denial of service, potentially enabling arbitrary code execution via the heap use-after-free.
The FreeRDP security advisory (GHSA-w842-c386-fxhv) and release notes for version 3.20.1 confirm that the vulnerability is fixed in 3.20.1. Security practitioners should update to FreeRDP 3.20.1 or later to mitigate the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2671
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability…
more
is fixed in 3.20.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap UAF in FreeRDP serial channel enables remote exploitation of RDP service for RCE (AV:N).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of software flaws like the heap use-after-free race condition in FreeRDP prior to version 3.20.1.
Enables proactive detection of the CVE-2026-22856 vulnerability through regular vulnerability scanning of FreeRDP components.
Provides memory protection mechanisms that mitigate exploitation of the heap use-after-free vulnerability triggered by the serial channel race condition.