CVE-2026-22858
Published: 14 January 2026
Summary
CVE-2026-22858 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly addressing this buffer overflow by requiring patches to FreeRDP 3.20.1 or later.
SI-16 implements memory protections like ASLR and DEP that mitigate exploitation of out-of-bounds accesses from invalid Base64 decoding.
SI-10 requires validation of inputs to the Base64 decoder, preventing non-ASCII bytes from bypassing range checks and causing overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of memory corruption in exposed RDP/FreeRDP service directly matches T1190; resulting crashes enable T1499.004.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so…
more
the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
Deeper analysisAI
CVE-2026-22858 is a global buffer overflow vulnerability (CWE-125: Out-of-bounds Read; CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior) in the Base64 decoding path of FreeRDP, an open-source implementation of the Remote Desktop Protocol. The flaw affects FreeRDP versions prior to 3.20.1 and stems from implementation-defined char signedness on Arm/AArch64 builds, where plain char is treated as unsigned. This causes the guard condition c <= 0 to optimize into c != 0, allowing non-ASCII bytes (e.g., 0x80-0xFF) to bypass intended range restrictions and serve as indices into a global lookup table, resulting in out-of-bounds access.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating it is exploitable over the network with low attack complexity, no privileges or user interaction required, and unchanged impact scope. Unauthenticated remote attackers can trigger the issue by supplying malicious input during Base64 decoding in RDP sessions, potentially achieving high confidentiality impact through information disclosure or high availability impact via crashes and denial of service.
FreeRDP addresses this vulnerability in version 3.20.1. Security practitioners should upgrade affected systems to 3.20.1 or later. Additional details are available in the project's security advisory (GHSA-qmqf-m84q-x896) and release notes at https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1.
Details
- CWE(s)