CVE-2026-22855 – A heap out-of-bounds read vulnerability in Free... (How to Fix)

Q: What is the severity of CVE-2026-22855?

CVE-2026-22855 has a CVSS score of 9.1 (CRITICAL). A heap out-of-bounds read vulnerability in FreeRDP's smartcard SetAttrib path allows attackers to read memory beyond allocated buffers. This affects FreeRDP clients and servers using smartcard authentication prior to version 3.20.1. The vulnerability could lead to information disclosure or be used as part of a larger attack chain.

📋 TL;DR

A heap out-of-bounds read vulnerability in FreeRDP's smartcard SetAttrib path allows attackers to read memory beyond allocated buffers. This affects FreeRDP clients and servers using smartcard authentication prior to version 3.20.1. The vulnerability could lead to information disclosure or be used as part of a larger attack chain.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.20.1

Operating Systems: Linux, Windows, macOS, BSD systems running FreeRDP

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when smartcard authentication is enabled and used. Standard RDP connections without smartcards are not affected.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, or sensitive memory disclosure including credentials and session data.

🟠

Likely Case

Information disclosure including memory contents, potential denial of service through application crashes, or use as an information leak primitive in multi-stage attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and smartcard authentication disabled, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: MEDIUM - FreeRDP servers exposed to the internet with smartcard authentication enabled are vulnerable, but exploitation requires specific conditions.

🏢 Internal Only: MEDIUM - Internal FreeRDP deployments with smartcard authentication present similar risks as internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to be able to trigger smartcard authentication with malformed data. No public exploits are known as of the advisory date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.1

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9

Restart Required: Yes

Instructions:

1. Download FreeRDP 3.20.1 from the official releases page. 2. Stop all FreeRDP services. 3. Install the new version following your OS package manager or build instructions. 4. Restart services or systems using FreeRDP.

🔧 Temporary Workarounds

Disable smartcard authentication

all

Disable smartcard support in FreeRDP configuration to prevent exploitation of this vulnerability

For FreeRDP client: Use command line option /smartcard:off
For FreeRDP server: Configure to not accept smartcard authentication

Network segmentation

linux

Restrict access to FreeRDP services to trusted networks only

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="3389" accept'
iptables -A INPUT -p tcp --dport 3389 -s TRUSTED_NETWORK -j ACCEPT

🧯 If You Can't Patch

Disable smartcard authentication entirely in all FreeRDP configurations
Implement strict network access controls to limit FreeRDP exposure to only necessary users

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version and smartcard configuration. Vulnerable if version < 3.20.1 and smartcard authentication is enabled.

Check Version:

xfreerdp --version (Linux) or check installed package version via system package manager

Verify Fix Applied:

Verify FreeRDP version is 3.20.1 or later and test smartcard functionality to ensure it still works properly.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes in FreeRDP with smartcard errors
Multiple failed smartcard authentication attempts from single source
Memory access violation errors in application logs

Network Indicators:

Unusual RDP traffic patterns with smartcard authentication
Multiple connection attempts to RDP port 3389 with varying payload sizes

SIEM Query:

source="freerdp.log" AND ("smartcard" OR "SetAttrib") AND ("crash" OR "error" OR "violation")

📊 Metadata

CVE ID: CVE-2026-22855

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: January 14, 2026

Last Updated: February 6, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 Release Notes
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22855, you might also want to check these: