Cyber Resilience

CVE-2026-24491

High

Published: 09 February 2026

Published
09 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24491 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-24491 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). In versions prior to 3.22.0, the video_timer component can send client notifications after the control channel has been closed, leading to the dereferencing of a freed callback. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.

Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction. By triggering the use-after-free condition during an RDP session, an attacker can cause the FreeRDP client to crash, resulting in a denial-of-service condition. The attack requires low complexity and does not impact confidentiality or integrity.

The vulnerability is fixed in FreeRDP version 3.22.0. The official patch is available in GitHub commit e02e052f6692550e539d10f99de9c35a23492db2, and further details are provided in the FreeRDP security advisory at GHSA-4x6j-w49r-869g. Security practitioners should update affected FreeRDP clients to the patched version to mitigate this issue.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Use-after-free in FreeRDP client directly enables remote exploitation to crash the application, matching T1499.004 (Application or System Exploitation) for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24684Same product: Freerdp Freerdp
CVE-2026-24683Same product: Freerdp Freerdp
CVE-2026-24676Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-26986Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-23884Same product: Freerdp Freerdp
CVE-2026-24678Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.22.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of the use-after-free flaw in FreeRDP by applying the patch released in version 3.22.0.

prevent

Implements memory protection mechanisms such as address space layout randomization and stack canaries that mitigate exploitation of the use-after-free vulnerability in the video_timer component.

detect

Requires regular vulnerability scanning to identify systems running vulnerable FreeRDP versions prior to 3.22.0, enabling proactive remediation.

References