CVE-2026-22857 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-22857 PUBLISHED CVSS 6.800000190734863 MEDIUM

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.

EPSS 0.09% · 24.9th percentile

Risk Scores

CVSS v4.0

6.800000190734863

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS Score

0.09%

24.9th percentile

Affected Products

Vendor	Product	Versions
freerdp	freerdp	0
FreeRDP	FreeRDP	< 3.20.1

Timeline

Jan 14, 2026 CVE Published
Jan 14, 2026 PoC Published
Jan 14, 2026 PoC Published
Jan 15, 2026 EPSS Score
Jan 17, 2026 EPSS Score
Jan 20, 2026 EPSS Score
Jan 20, 2026 CVE Updated
Jan 22, 2026 EPSS Score
Jan 25, 2026 EPSS Score
Jan 27, 2026 EPSS Score
Jan 29, 2026 EPSS Score
Feb 1, 2026 EPSS Score

References

Open in Interactive Console →