CVE-2026-22853
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk47th percentile - higher than 47% of all known CVEs
Summary
In FreeRDP prior to version 3.20.1, the RDPEAR NDR array reader does not perform bounds checking on the on-wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array.
Risk Assessment
An attacker can remotely exploit this vulnerability to cause a heap buffer overflow, potentially leading to arbitrary code execution or RDP service crash, compromising system confidentiality and availability.
Recommendation
Immediately upgrade FreeRDP to version 3.20.1 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.

