CVE-2026-22858

EUVD-2026-2669

14.01.2026, 18:16

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Affected Products (NVD)

Vendor	Product	Version
freerdp	freerdp	𝑥 < 3.20.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

freerdp2

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable

freerdp3

forky	3.26.0+dfsg-1 fixed
sid	3.26.0+dfsg-1 fixed
trixie	3.15.0+dfsg-2.1+deb13u3 fixed

openSUSE / SLES Releases

openSUSE Product

Release

freerdp

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

freerdp-devel

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

freerdp-proxy

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

freerdp-proxy-plugins

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

freerdp-sdl

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

freerdp-server

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

libfreerdp-server-proxy3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

libfreerdp3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

librdtk0-0

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

libwinpr3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

winpr-devel

suse enterprise desktop 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.3.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.3.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

freerdp

RHEL 8	2:2.11.7-3.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.7 fixed
RHEL 8.4 AUS	2:2.2.0-8.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.2 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.2 fixed
RHEL 9	2:2.11.7-1.el9_7.2 fixed

freerdp-devel

RHEL 8	2:2.11.7-3.el8_10 fixed
RHEL 9	2:2.11.7-1.el9_7.2 fixed

freerdp-libs

RHEL 8	2:2.11.7-3.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.7 fixed
RHEL 8.4 AUS	2:2.2.0-8.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.2 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.2 fixed
RHEL 9	2:2.11.7-1.el9_7.2 fixed

libwinpr

RHEL 8	2:2.11.7-3.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.7 fixed
RHEL 8.4 AUS	2:2.2.0-8.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.2 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.2 fixed
RHEL 9	2:2.11.7-1.el9_7.2 fixed

libwinpr-devel

RHEL 8	2:2.11.7-3.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.7 fixed
RHEL 8.4 AUS	2:2.2.0-8.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.2 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.2 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.2 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.2 fixed
RHEL 9	2:2.11.7-1.el9_7.2 fixed

Known Exploits!

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896