CVE-2026-24491
Published: 09 February 2026
Summary
CVE-2026-24491 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-24491 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). In versions prior to 3.22.0, the video_timer component can send client notifications after the control channel has been closed, leading to the dereferencing of a freed callback. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.
Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction. By triggering the use-after-free condition during an RDP session, an attacker can cause the FreeRDP client to crash, resulting in a denial-of-service condition. The attack requires low complexity and does not impact confidentiality or integrity.
The vulnerability is fixed in FreeRDP version 3.22.0. The official patch is available in GitHub commit e02e052f6692550e539d10f99de9c35a23492db2, and further details are provided in the FreeRDP security advisory at GHSA-4x6j-w49r-869g. Security practitioners should update affected FreeRDP clients to the patched version to mitigate this issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6481
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in FreeRDP client directly enables remote exploitation to crash the application, matching T1499.004 (Application or System Exploitation) for Endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of the use-after-free flaw in FreeRDP by applying the patch released in version 3.22.0.
Implements memory protection mechanisms such as address space layout randomization and stack canaries that mitigate exploitation of the use-after-free vulnerability in the video_timer component.
Requires regular vulnerability scanning to identify systems running vulnerable FreeRDP versions prior to 3.22.0, enabling proactive remediation.