CVE-2026-24491

High

Published: 09 February 2026

Published

09 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 5.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24491 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Use-after-free in FreeRDP client directly enables remote exploitation to crash the application, matching T1499.004 (Application or System Exploitation) for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.

Deeper analysisAI

CVE-2026-24491 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). In versions prior to 3.22.0, the video_timer component can send client notifications after the control channel has been closed, leading to the dereferencing of a freed callback. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.

Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction. By triggering the use-after-free condition during an RDP session, an attacker can cause the FreeRDP client to crash, resulting in a denial-of-service condition. The attack requires low complexity and does not impact confidentiality or integrity.

The vulnerability is fixed in FreeRDP version 3.22.0. The official patch is available in GitHub commit e02e052f6692550e539d10f99de9c35a23492db2, and further details are provided in the FreeRDP security advisory at GHSA-4x6j-w49r-869g. Security practitioners should update affected FreeRDP clients to the patched version to mitigate this issue.

Details

CWE(s): CWE-416

Affected Products

freerdp

≤ 3.22.0

CVEs Like This One

CVE-2026-25954Same product: Freerdp Freerdp

CVE-2026-26986Same product: Freerdp Freerdp

CVE-2026-24680Same product: Freerdp Freerdp

CVE-2026-24684Same product: Freerdp Freerdp

CVE-2026-24676Same product: Freerdp Freerdp

CVE-2026-24683Same product: Freerdp Freerdp

CVE-2026-27950Same product: Freerdp Freerdp

CVE-2026-24675Same product: Freerdp Freerdp

CVE-2026-24678Same product: Freerdp Freerdp

CVE-2026-23884Same product: Freerdp Freerdp

References

https://github.com/FreeRDP/FreeRDP/commit/e02e052f6692550e539d10f99de9c35a23492db2
Patch · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4x6j-w49r-869g
Patch, Vendor Advisory · security-advisories@github.com