Critical Vulnerability Information Vulnerability Type: Heap-buffer-overflow Affected Versions: <= 3.20.0 Fixed Version: 3.20.1 CVE ID: CVE-2026-22855 Severity: Moderate Weakness Type: CWE-20 (Improper Input Validation) Summary Description: In the function, a heap buffer overflow occurs when does not match the actual NDR buffer length. Details: - reads from the stream. If exists, it calls , which allocates based on the NDR length, not on . - There is no check to ensure that the NDR length equals . Later, when calling , is used, which may lead to memory corruption. - During the call, may exceed the actual size of , resulting in out-of-bounds access. PoC Enable smart card redirection and connect to a malicious RDP server (or MITM). Send a request with a large but encode a smaller NDR length. The client allocates a small buffer and attempts to dump bytes, triggering the out-of-bounds read. Impact A malicious server can trigger a heap buffer overflow on the client, causing crashes (DoS) and potential heap corruption. Depending on allocator behavior and heap layout, there is a risk of code execution. Affected Entities Only affects FreeRDP-based clients Fix Pass as the minimum length to , ensuring the allocated buffer is at least that size.