FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22853.json
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
https://bugzilla.redhat.com/show_bug.cgi?id=2429647
https://access.redhat.com/security/cve/CVE-2026-22853
https://access.redhat.com/errata/RHSA-2026:4121
Published: 2026-01-14
Updated: 2026-06-30
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
Base Score: 9.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
Base Score: 7.7
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity: High
EPSS: 0.00042