Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
Published: 2026-01-14
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds memory access in Base64 decoding
Action: Patch Now
AI Analysis

Impact

FreeRDP contains a global buffer overflow in its Base64 decoding routine because signedness of plain char is implementation-defined. Non‑ASCII values may bypass a range check and index a global table out of bounds, corrupting memory. An attacker could exploit this to crash or potentially hijack execution on affected systems.

Affected Systems

The vulnerability affects FreeRDP releases older than 3.20.1, running on architectures such as Arm and AArch64 where char is unsigned. Users of FreeRDP prior to the 3.20.1 release are exposed regardless of operating system.

Risk and Exploitability

The CVSS score is 5.6, indicating a moderate severity. EPSS is below 1 %, so widespread exploitation is unlikely at present, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is remote, through an RDP session that processes Base64-encoded data, such as credentials or other parameters.

Generated by OpenCVE AI on April 18, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.20.1 or later
  • Recompile or configure Victim builds to treat plain char as signed on Arm/AArch64 when possible
  • Monitor RDP connections for abnormal Base64 traffic patterns that could indicate exploitation attempts

Generated by OpenCVE AI on April 18, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 15 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L'}

threat_severity

Moderate

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Wed, 14 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
Title FreeRDP has a global-buffer-overflow in crypto_base64_decode
Weaknesses CWE-125
CWE-758
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T21:12:03.734Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22858

cve-icon Vulnrichment

Updated: 2026-01-14T21:12:00.311Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T18:16:43.520

Modified: 2026-01-20T18:33:32.850

Link: CVE-2026-22858

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-14T17:56:29Z

Links: CVE-2026-22858 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses