VDB

CVE-2026-22857

CVE-2026-22857 PUBLISHED CVSS 6.800000190734863 MEDIUM

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.

EPSS 0.11% · 29.1th percentile

Risk Scores

CVSS 4.0
6.800000190734863
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
EPSS Score
0.11%
29.1th percentile

Affected Products

VendorProductVersions
freerdpfreerdp0
FreeRDPFreeRDP< 3.20.1

Timeline

  • Jan 14, 2026 CVE Published
  • Jan 14, 2026 PoC Published
  • Jan 14, 2026 PoC Published
  • Jan 15, 2026 EPSS Score
  • Jan 18, 2026 EPSS Score
  • Jan 20, 2026 CVE Updated
  • Jan 21, 2026 EPSS Score
  • Jan 24, 2026 EPSS Score
  • Jan 27, 2026 EPSS Score
  • Jan 30, 2026 EPSS Score
  • Feb 2, 2026 EPSS Score
  • Feb 5, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›