CVE-2026-22854 – This is a critical heap buffer overflow vulnera... (How to Fix)

Q: What is the severity of CVE-2026-22854?

CVE-2026-22854 has a CVSS score of 9.8 (CRITICAL). This is a critical heap buffer overflow vulnerability in FreeRDP that allows a malicious RDP server to execute arbitrary code on client systems by sending oversized file read requests. It affects all FreeRDP clients connecting to untrusted servers. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

This is a critical heap buffer overflow vulnerability in FreeRDP that allows a malicious RDP server to execute arbitrary code on client systems by sending oversized file read requests. It affects all FreeRDP clients connecting to untrusted servers. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.20.1

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using FreeRDP client to connect to RDP servers is vulnerable. The vulnerability is in the client-side file system redirection feature.

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within networks.

🟠

Likely Case

Remote code execution allowing attackers to install malware, create backdoors, or steal credentials from vulnerable clients.

🟢

If Mitigated

Limited impact if clients only connect to trusted internal servers with proper network segmentation and monitoring.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires client connection to a malicious server. No authentication is needed from the server side.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.1

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf

Restart Required: Yes

Instructions:

1. Download FreeRDP 3.20.1 or later from official sources. 2. Uninstall previous versions. 3. Install the patched version. 4. Restart affected systems.

🔧 Temporary Workarounds

Disable drive redirection

all

Prevent file system redirection which is the vulnerable component

xfreerdp /drive:off
wfreerdp /drive:off

Network segmentation

all

Restrict FreeRDP clients to only connect to trusted internal servers

🧯 If You Can't Patch

Implement strict network controls to prevent FreeRDP clients from connecting to untrusted RDP servers
Use alternative RDP clients that are not vulnerable to this specific CVE

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with 'xfreerdp --version' or 'wfreerdp --version'. If version is below 3.20.1, system is vulnerable.

Check Version:

xfreerdp --version 2>&1 | head -1

Verify Fix Applied:

After patching, verify version is 3.20.1 or higher using the same version command.

📡 Detection & Monitoring

Log Indicators:

Unusual file read operations in RDP logs
Large file transfer attempts via RDP drive redirection

Network Indicators:

RDP connections to unknown or suspicious servers
Abnormal RDP traffic patterns

SIEM Query:

source="rdp_logs" AND (event="file_read" AND size>threshold) OR (destination_ip NOT IN trusted_servers)

📊 Metadata

CVE ID: CVE-2026-22854

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: January 14, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 Release Notes
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22854, you might also want to check these: