Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
Published: 2026-01-14
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

A heap use‑after‑free occurs in FreeRDP’s irp_thread_func when an IRP object is freed and then accessed again along an error path. This flaw can potentially lead to memory corruption if the error path is triggered. The weakness is identified as CWE‑416.

Affected Systems

All installations of FreeRDP older than release 3.20.1 are affected.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, while the EPSS score of less than 1 % indicates a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, exploiting the flaw would require an attacker to trigger the error path after the IRP has been freed, which would need access to the RDP service.

Generated by OpenCVE AI on April 18, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.20.1 or later to apply the fix for the heap use‑after‑free flaw.
  • If an upgrade cannot be performed immediately, restrict RDP traffic to trusted networks or disable the RDP service from untrusted networks to reduce exposure.
  • Monitor system logs for anomalous RDP activity that may indicate an attempt to exploit the flaw.

Generated by OpenCVE AI on April 18, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 15 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
Title FreeRDP has a heap-use-after-free in irp_thread_func
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:04:08.901Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22857

cve-icon Vulnrichment

Updated: 2026-01-14T21:11:27.603Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T18:16:43.373

Modified: 2026-01-20T18:34:43.760

Link: CVE-2026-22857

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-14T17:53:54Z

Links: CVE-2026-22857 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses