CVE-2026-22853

high

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22853.json

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch

https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1

https://bugzilla.redhat.com/show_bug.cgi?id=2429647

https://access.redhat.com/security/cve/CVE-2026-22853

https://access.redhat.com/errata/RHSA-2026:4121

https://access.redhat.com/errata/RHSA-2026:3068

https://access.redhat.com/errata/RHSA-2026:19033

Details

Source: Mitre, NVD

Published: 2026-01-14

Updated: 2026-06-30

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 7.7

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00042