Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
Published: 2026-01-14
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow
Action: Immediate Patch
AI Analysis

Impact

FreeRDP’s RDPEAR module contains a heap‑buffer‑overflow flaw in the NDR array reader, where an untrusted element count is accepted without bounds checking. An attacker who can send a crafted packet during a Remote Desktop Protocol session could overwrite memory on the client side, potentially leading to a crash or arbitrary code execution. The weakness is categorized as CWE‑787, a memory corruption issue triggered by improper bounds verification.

Affected Systems

All FreeRDP versions earlier than 3.20.1 are affected. The flaw exists specifically in the ndr_read_uint8Array function used by the RDPEAR component of the FreeRDP client. Upgrading to 3.20.1 or later removes the vulnerability by adding necessary bounds checks.

Risk and Exploitability

The CVSS score is 6.8, indicating a medium severity. The EPSS score is below 1 %, suggesting a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require network access to the RDP client; therefore, the likely attack vector is remote via a malicious RDP connection. No confirmed public exploits are available at this time.

Generated by OpenCVE AI on April 18, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.20.1 or later to remove the vulnerable ndr_read_uint8Array code.
  • Require RDP session encryption (e.g., TLS or Network Level Authentication) to reduce the impact of crafted packets.
  • Limit inbound RDP connections to known trusted IP ranges or apply firewall rules to reduce exposure to the vulnerable client.

Generated by OpenCVE AI on April 18, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 15 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
Title FreeRDP has a heap-buffer-overflow in ndr_read_uint8Array
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:04:09.818Z

Reserved: 2026-01-12T16:20:16.745Z

Link: CVE-2026-22853

cve-icon Vulnrichment

Updated: 2026-01-14T21:04:50.720Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T18:16:42.790

Modified: 2026-01-20T18:39:31.770

Link: CVE-2026-22853

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-14T17:46:50Z

Links: CVE-2026-22853 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses