CVE-2026-22859 – This vulnerability in FreeRDP allows remote att... (How to Fix)

Q: What is the severity of CVE-2026-22859?

CVE-2026-22859 has a CVSS score of 9.1 (CRITICAL). This vulnerability in FreeRDP allows remote attackers to cause an out-of-bounds read by sending specially crafted MSUSB_INTERFACE_DESCRIPTOR values. This could lead to information disclosure or potentially remote code execution. Anyone using FreeRDP versions before 3.20.1 for remote desktop connections is affected.

📋 TL;DR

This vulnerability in FreeRDP allows remote attackers to cause an out-of-bounds read by sending specially crafted MSUSB_INTERFACE_DESCRIPTOR values. This could lead to information disclosure or potentially remote code execution. Anyone using FreeRDP versions before 3.20.1 for remote desktop connections is affected.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.20.1

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects clients using the URBDRC (USB redirection) feature. The vulnerability is triggered when connecting to a malicious RDP server.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise of the FreeRDP client machine

🟠

Likely Case

Information disclosure through memory leaks, potentially exposing sensitive data or causing application crashes

🟢

If Mitigated

Denial of service through application crashes if memory corruption doesn't lead to code execution

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the attacker to control or compromise an RDP server that the victim connects to. The vulnerability is in the client-side processing of server responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.1

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36

Restart Required: Yes

Instructions:

1. Download FreeRDP 3.20.1 or later from the official repository. 2. Uninstall the current version. 3. Install the patched version. 4. Restart any applications using FreeRDP.

🔧 Temporary Workarounds

Disable USB Redirection

all

Disable the URBDRC feature that contains the vulnerable code path

xfreerdp /usb:id,dev:disable
wfreerdp /usb:id,dev:disable

Network Segmentation

all

Restrict RDP connections to trusted servers only using firewall rules

🧯 If You Can't Patch

Disable USB redirection feature in FreeRDP client configuration
Use alternative RDP clients or VPN solutions for remote access

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with 'xfreerdp --version' or 'wfreerdp --version'. If version is below 3.20.1, the system is vulnerable.

Check Version:

xfreerdp --version 2>&1 | head -1

Verify Fix Applied:

After patching, verify version is 3.20.1 or higher using the version command

📡 Detection & Monitoring

Log Indicators:

FreeRDP crash logs
Segmentation fault errors in system logs when using RDP
Unexpected memory access errors

Network Indicators:

RDP connections to untrusted servers
Unusual RDP traffic patterns

SIEM Query:

source="*freerdp*" AND ("segmentation fault" OR "out of bounds" OR "memory violation")

📊 Metadata

CVE ID: CVE-2026-22859

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: January 14, 2026

Last Updated: February 6, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 Release Notes
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22859, you might also want to check these: