LiveActive security incident?Get immediate response
CVE Record

CVE-2026-22859: FreeRDP has a heap-buffer-overflow in urb_select_configuration

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1.

HighCVSS 7.4Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

FreeRDP clients before 3.20.1 can mishandle USB redirection data supplied by an RDP server. A malicious or compromised server could make the client read outside intended memory, potentially exposing information or crashing the client. Sources name FreeRDP 3.20.1 as the fix.

Executive priority

Treat as a high-priority client-side remediation for environments using FreeRDP, especially administrators connecting to untrusted or third-party RDP servers. Prioritize patching over emergency response because the provided sources do not substantiate active exploitation.

Technical view

The URBDRC client lacks bounds checks on server-supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup. The issue is an out-of-bounds read, mapped to CWE-125 and CWE-129, with CVSS 3.1 score 7.4 and vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H.

Likely exposure

Exposure is most likely on systems running FreeRDP versions earlier than 3.20.1, especially clients using USB redirection. Red Hat references and errata indicate downstream package impact and fixes may vary by product. The bundle does not provide CPEs or a complete distribution-by-distribution affected list.

Exploitation context

The source bundle does not show KEV listing or active exploitation. Exploitation requires server-supplied descriptor values reaching the vulnerable URBDRC client path. The CVSS vector marks network attack, no privileges, no user interaction, and high attack complexity.

Researcher notes

Key analysis limits: the bundle identifies the vulnerable function path and fixed version, but does not include proof-of-concept details, exploit prevalence, or full downstream package status. Focus validation on URBDRC exposure, package provenance, and vendor backport confirmation.

Mitigation direction

  • Upgrade FreeRDP to 3.20.1 or later where available.
  • Apply vendor-fixed FreeRDP packages from Red Hat or your operating system vendor.
  • Disable or avoid FreeRDP USB redirection until patched, where operationally acceptable.
  • Check vendor advisories for backported fixes before relying on version strings alone.

Validation and detection

  • Inventory FreeRDP installations and package versions across endpoints and jump hosts.
  • Confirm each affected system is running 3.20.1 or a vendor-fixed backport.
  • Identify FreeRDP usage with URBDRC or USB redirection enabled.
  • Track remediation against relevant Red Hat errata or equivalent vendor advisories.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-125: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-129: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-22859 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.4 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
20Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.4CVSS 3.1HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H2.25.2redhat-SADP
5.6CVSS 4.0MediumCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:PGitHub_M

Vulnerability scoring details

Base CVSS 4.0 score

5.6Medium
CVSS 4.0 vector shape for CVE-2026-22859Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPfreerdp: FreeRDP heap-buffer-overflow
other:Red Hat severity ratingcvssV3_1
  • 2026-01-14T18:01:32.314Z: Reported to Red Hat.
  • 2026-01-14T17:57:37.000Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
FreeRDPFreeRDP< 3.20.1Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-125 · source CWE mapping

Out-of-bounds Read

Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-129 · source CWE mapping

Improper Validation of Array Index

Improper Validation of Array Index represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.