CVE-2026-22857
Published: 14 January 2026
Summary
CVE-2026-22857 is a medium-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22857 is a heap use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The issue occurs prior to version 3.20.1 in the irp_thread_func function, where an IRP object is freed by irp->Complete() but then accessed again on the error path. Published on 2026-01-14, it carries a CVSS v3.1 base score of 9.8, indicating critical severity.
A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious RDP connection, the attacker triggers the use-after-free, potentially achieving high impacts on confidentiality, integrity, and availability, such as remote code execution on the affected FreeRDP instance.
The FreeRDP security advisory (GHSA-4gxq-jhq6-4cr8) and release notes for version 3.20.1 confirm the vulnerability has been fixed in that release. Security practitioners should upgrade FreeRDP to 3.20.1 or later to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2670
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated RCE via crafted RDP connection against FreeRDP (public-facing RDP implementation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and remediation of flaws like the heap use-after-free in FreeRDP via patching to version 3.20.1 or later, directly eliminating the vulnerability.
Implements memory protection safeguards such as ASLR and DEP that hinder exploitation of the heap use-after-free for unauthorized code execution.
Requires vulnerability scanning to identify systems running vulnerable versions of FreeRDP affected by CVE-2026-22857.