Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
Published: 2026-01-14
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption causing Client Crash (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

FreeRDP's client code contains a heap‑buffer‑overflow in the audin_process_formats function. When an RDP server sends a malformed AUDIN format list, the function reuses the formats_count callback value across multiple PDUs and writes past the newly allocated formats array. This corrupts control data and causes the client to crash, and could potentially allow an attacker to overwrite memory arbitrarily. The vulnerability is mitigated in version 3.20.1 and before that any remote server may trigger the crash or exploit memory corruption.

Affected Systems

All installations of the FreeRDP client before version 3.20.1 are susceptible to the flaw. This includes default builds distributed by the FreeRDP project as well as any custom builds that embed the same library. The issue affects the client side of the Remote Desktop Protocol implementation.

Risk and Exploitability

With a CVSS score of 6.8 the risk is considered medium. The EPSS score indicates that the probability of exploitation is under 1 %. The vulnerability is not listed in the CISA KEV catalog, so no active exploitation reports have been publicly documented. An attacker could trigger the overflow by sending a specially crafted AUDIN PDU from a remote RDP server, making the attack vector network‑based. Defensive measures should prioritize patching, and administrators should monitor for unexpected application crashes on RDP sessions.

Generated by OpenCVE AI on April 18, 2026 at 06:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to release 3.20.1 or later, which contains the fixed audio format processing routine.
  • If the upgrade cannot be performed immediately, disable the audio input feature in the client configuration or enable hard limits on AUDIN PDU size to mitigate the overflow.
  • Limit RDP connections to trusted servers and monitor for anomalous AUDIN traffic to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 06:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 15 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
Title FreeRDP has a heap-buffer-overflow in audin_process_formats
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:04:10.097Z

Reserved: 2026-01-12T16:20:16.745Z

Link: CVE-2026-22852

cve-icon Vulnrichment

Updated: 2026-01-14T21:04:14.488Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T18:16:42.643

Modified: 2026-01-20T18:40:31.943

Link: CVE-2026-22852

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-14T17:45:22Z

Links: CVE-2026-22852 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses