CVE-2026-22853

EUVD-2026-2674
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Affected Products (NVD)
VendorProductVersion
freerdpfreerdp
𝑥
< 3.20.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
freerdp2
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
vulnerable
freerdp3
forky
3.26.0+dfsg-1
fixed
sid
3.26.0+dfsg-1
fixed
trixie
3.15.0+dfsg-2.1+deb13u3
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
freerdp
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
freerdp-devel
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
freerdp-proxy
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
freerdp-proxy-plugins
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
freerdp-sdl
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
freerdp-server
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
libfreerdp-server-proxy3-3
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
libfreerdp3-3
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
librdtk0-0
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
libwinpr3-3
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
winpr-devel
suse enterprise desktop 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise sap 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise server 15 SP7
3.10.3-150700.3.3.1
fixed
suse enterprise workstation 15 SP7
3.10.3-150700.3.3.1
fixed
Common Weakness Enumeration
References
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch