What is the CVSS score of CVE-2026-22851?

CVE-2026-22851 has a CVSS 3.1 base score of 5.9 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Industrial are affected by CVE-2026-22851?

Organizations using FreeRDP should be aware of moderate risk from CVE-2026-22851, a race condition vulnerability rated CVSS 5.9. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2026-22851?

Yes, a public proof-of-concept exploit is available for CVE-2026-22851. Prioritise patching immediately. EPSS: 0.1%.

Industrial CVE-2026-22851

MEDIUM

Race Condition (CWE-362)

2026-01-14 security-advisories@github.com

Use After Free Race Condition Industrial Red Hat Freerdp Suse

5.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 09, 2026 - 20:30 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 20, 2026 - 18:43 vuln.today

Public exploit code

CVE Published

Jan 14, 2026 - 18:16 nvd

MEDIUM 5.9

DescriptionNVD

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.

AnalysisAI

FreeRDP versions prior to 3.20.1 contain a race condition between the RDPGFX virtual channel and SDL rendering threads that enables heap use-after-free when graphics are reset. Public exploit code exists for this vulnerability, allowing attackers to crash the application or potentially execute code in industrial control systems and other environments using vulnerable FreeRDP implementations. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory