CVE-2026-22852 – A heap buffer overflow vulnerability in FreeRDP... (How to Fix)

Q: What is the severity of CVE-2026-22852?

CVE-2026-22852 has a CVSS score of 9.8 (CRITICAL). A heap buffer overflow vulnerability in FreeRDP allows malicious RDP servers to trigger memory corruption and crash FreeRDP clients. This affects all FreeRDP clients connecting to untrusted RDP servers. The vulnerability is in the audio input processing code when handling format lists.

📋 TL;DR

A heap buffer overflow vulnerability in FreeRDP allows malicious RDP servers to trigger memory corruption and crash FreeRDP clients. This affects all FreeRDP clients connecting to untrusted RDP servers. The vulnerability is in the audio input processing code when handling format lists.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.20.1

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any FreeRDP client connecting to RDP servers is vulnerable. The vulnerability is triggered during audio input format negotiation.

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise of the FreeRDP client machine.

🟠

Likely Case

Client crash and denial of service, potentially allowing attackers to disrupt RDP sessions.

🟢

If Mitigated

Limited to denial of service if exploit fails to achieve code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the client to connect to a malicious RDP server. No authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.1

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4

Restart Required: Yes

Instructions:

1. Download FreeRDP 3.20.1 or later from the official repository. 2. Compile and install the new version. 3. Restart any FreeRDP client applications.

🔧 Temporary Workarounds

Disable Audio Input

all

Disable audio input functionality in FreeRDP client configuration to prevent triggering the vulnerable code path.

xfreerdp /audio-input:off /v:server

🧯 If You Can't Patch

Restrict RDP connections to trusted servers only using network controls.
Monitor for crashes of FreeRDP processes and investigate connections preceding crashes.

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with 'xfreerdp --version' or equivalent command. If version is below 3.20.1, the system is vulnerable.

Check Version:

xfreerdp --version

Verify Fix Applied:

Verify the installed version is 3.20.1 or higher using the version check command.

📡 Detection & Monitoring

Log Indicators:

FreeRDP process crashes
Segmentation fault errors in system logs

Network Indicators:

RDP connections to untrusted servers
Multiple failed RDP sessions

SIEM Query:

process.name:"xfreerdp" AND event.action:"crashed"

📊 Metadata

CVE ID: CVE-2026-22852

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: January 14, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 Release Notes
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22852, you might also want to check these: