CVE-2026-22858

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-125",
        "CWE-758"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22858.json"
}

References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type: GIT
Repo: https://github.com/freerdp/freerdp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7418bc7b7c880a87edade60282f6aeeacd640e47

Affected versions

1.*

1.0-beta1

1.0-beta2

1.0-beta3

1.0-beta4

1.0-beta5

1.0.0

1.0.1

1.1.0-beta+2013071101

1.1.0-beta1

1.1.0-beta1+android2

1.1.0-beta1+android3

1.1.0-beta1+android4

1.1.0-beta1+android5

1.1.0-beta1+ios1

1.1.0-beta1+ios2

1.1.0-beta1+ios3

1.1.0-beta1+ios4

1.2.0-beta1+android7

1.2.0-beta1+android9

2.*

2.0.0

2.0.0-beta1+android10

2.0.0-beta1+android11

2.0.0-rc0

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

3.*

3.0.0

3.0.0-beta1

3.0.0-beta2

3.0.0-beta3

3.0.0-beta4

3.0.0-rc0

3.1.0

3.10.0

3.10.1

3.10.2

3.10.3

3.11.0

3.11.1

3.12.0

3.13.0

3.14.0

3.14.1

3.15.0

3.16.0

3.17.0

3.17.1

3.17.2

3.18.0

3.19.0

3.19.1

3.2.0

3.20.0

3.3.0

3.4.0

3.5.0

3.5.1

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22858.json"