PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22859 FreeRDP CVE debrief

CVE-2026-22859 is a medium-severity vulnerability in the FreeRDP URBDRC client. The vulnerability arises from a lack of proper bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values, which are then used as indices in libusb_udev_complete_msconfig_setup. This can lead to an out-of-bounds read. The vulnerability has been fixed in FreeRDP version 3.20.1. Users of FreeRDP should update to this version or later to mitigate the risk. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 5.6, indicating a medium severity level.

Vendor
FreeRDP
Product
Unknown
CVSS
MEDIUM 5.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-14
Original CVE updated
2026-06-30
Advisory published
2026-01-14
Advisory updated
2026-06-30

Who should care

Organizations and individuals using FreeRDP for remote desktop connections should be aware of this vulnerability. Given the medium severity and the potential for exploitation, users of FreeRDP should prioritize updating to version 3.20.1 or later. This is particularly important for environments where remote desktop access is common, such as in enterprise settings.

Technical summary

The URBDRC client in FreeRDP does not perform adequate bounds checking on MSUSB_INTERFACE_DESCRIPTOR values provided by the server. These values are used as indices in the libusb_udev_complete_msconfig_setup function, leading to a potential out-of-bounds read vulnerability. This issue has been addressed in FreeRDP version 3.20.1. The vulnerability's CVSS score is 5.6, categorizing it as medium severity. The CVSS vector is CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Update FreeRDP to version 3.20.1 or later to fix the vulnerability. Review and update affected systems and software to ensure they are using the patched version.

Recommended defensive actions

  • Update FreeRDP to version 3.20.1 or later.
  • Review and update affected systems and software to ensure they are using the patched version.
  • Monitor for any suspicious activity related to remote desktop connections.
  • Implement additional security measures for remote access, such as multi-factor authentication.
  • Regularly review and update software dependencies to ensure they are secure and up-to-date.

Evidence notes

The vulnerability was disclosed on January 14, 2026, and the CVE record was last modified on June 30, 2026. The NVD provides detailed information about the vulnerability, including its CVSS score and vector. FreeRDP has released a patch for this vulnerability in version 3.20.1.

Official resources

This article is AI-assisted and based on the supplied source corpus.