CVE-2026-22859
Published: 14 January 2026
Summary
CVE-2026-22859 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of known flaws, directly addressing the out-of-bounds read vulnerability by mandating updates to FreeRDP version 3.20.1 or later.
Mandates validation of information inputs from external sources like malicious RDP servers, preventing exploitation via unchecked MSUSB_INTERFACE_DESCRIPTOR values used as array indices.
Implements memory protections such as address space layout randomization and stack canaries that mitigate the impact of out-of-bounds reads by hindering info disclosure and crash exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in FreeRDP client directly enables exploitation by a malicious RDP server for memory disclosure or DoS on the connecting client.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed…
more
in 3.20.1.
Deeper analysisAI
CVE-2026-22859 is a high-severity vulnerability in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). Prior to version 3.20.1, the URBDRC client component fails to perform bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values, which are then used as indices in the libusb_udev_complete_msconfig_setup function. This flaw results in an out-of-bounds read, corresponding to CWE-125 (Out-of-bounds Read) and CWE-129 (Improper Validation of Array Index). The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
A remote attacker can exploit this vulnerability by operating a malicious RDP server. When a victim uses a vulnerable FreeRDP client (versions before 3.20.1) to connect to the attacker's server, the attacker can supply crafted MSUSB_INTERFACE_DESCRIPTOR values during the session. This triggers the out-of-bounds read on the client side, potentially allowing the attacker to disclose sensitive information from memory (high confidentiality impact) or cause a denial of service via client crash (high availability impact). Exploitation requires no privileges, user interaction, or special conditions, making it accessible over the network with low complexity.
The FreeRDP project addresses this vulnerability in version 3.20.1, as detailed in the release notes and security advisory. Security practitioners should advise users to update FreeRDP clients to 3.20.1 or later to mitigate the issue. Relevant resources include the GitHub release page at https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 and the advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36.
Details
- CWE(s)