PatchSiren cyber security CVE debrief
CVE-2026-22859 FreeRDP CVE debrief
CVE-2026-22859 is a medium-severity vulnerability in the FreeRDP URBDRC client. The vulnerability arises from a lack of proper bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values, which are then used as indices in libusb_udev_complete_msconfig_setup. This can lead to an out-of-bounds read. The vulnerability has been fixed in FreeRDP version 3.20.1. Users of FreeRDP should update to this version or later to mitigate the risk. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 5.6, indicating a medium severity level.
- Vendor
- FreeRDP
- Product
- Unknown
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-14
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-14
- Advisory updated
- 2026-06-30
Who should care
Organizations and individuals using FreeRDP for remote desktop connections should be aware of this vulnerability. Given the medium severity and the potential for exploitation, users of FreeRDP should prioritize updating to version 3.20.1 or later. This is particularly important for environments where remote desktop access is common, such as in enterprise settings.
Technical summary
The URBDRC client in FreeRDP does not perform adequate bounds checking on MSUSB_INTERFACE_DESCRIPTOR values provided by the server. These values are used as indices in the libusb_udev_complete_msconfig_setup function, leading to a potential out-of-bounds read vulnerability. This issue has been addressed in FreeRDP version 3.20.1. The vulnerability's CVSS score is 5.6, categorizing it as medium severity. The CVSS vector is CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
Update FreeRDP to version 3.20.1 or later to fix the vulnerability. Review and update affected systems and software to ensure they are using the patched version.
Recommended defensive actions
- Update FreeRDP to version 3.20.1 or later.
- Review and update affected systems and software to ensure they are using the patched version.
- Monitor for any suspicious activity related to remote desktop connections.
- Implement additional security measures for remote access, such as multi-factor authentication.
- Regularly review and update software dependencies to ensure they are secure and up-to-date.
Evidence notes
The vulnerability was disclosed on January 14, 2026, and the CVE record was last modified on June 30, 2026. The NVD provides detailed information about the vulnerability, including its CVSS score and vector. FreeRDP has released a patch for this vulnerability in version 3.20.1.
Official resources
-
CVE-2026-22859 CVE record
CVE.org
-
CVE-2026-22859 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.