CVE-2026-22858

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1	Release Notes
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:20

Type	Values Removed	Values Added
References	~~() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 - Vendor Advisory, Exploit~~	() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 - Exploit, Vendor Advisory
Summary		(es) FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.20.1, se observó un desbordamiento de búfer global en la ruta de decodificación Base64 de FreeRDP. La causa raíz parece ser la signatura de `char` definida por la implementación: en compilaciones Arm/AArch64, `char` simple se trata como sin signo, por lo que la guarda `c <= 0` puede optimizarse en una simple verificación `c != 0`. Como resultado, los bytes no ASCII (por ejemplo, 0x80-0xFF) pueden eludir la restricción de rango prevista y usarse como un índice en una tabla de búsqueda global, causando acceso fuera de límites. Esta vulnerabilidad se corrigió en la versión 3.20.1.

20 Jan 2026, 18:33

Type	Values Removed	Values Added
References	~~() https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 -~~	() https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 - Release Notes
References	~~() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 -~~	() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 - Vendor Advisory, Exploit
First Time		Freerdp Freerdp freerdp
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
CPE		cpe:2.3:a:freerdp:freerdp::::::::

14 Jan 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-14 18:16

Updated : 2026-06-17 10:20

NVD link : CVE-2026-22858

Mitre link : CVE-2026-22858

CVE.ORG link : CVE-2026-22858

JSON object : View

Products Affected

freerdp

freerdp

CWE

CWE-125

Out-of-bounds Read

CWE-758

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

9.1 /10