Cyber Resilience

CVE-2026-24676

High

Published: 09 February 2026

Published
09 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24676 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-24676 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. The issue affects versions prior to 3.22.0 and occurs during AUDIN format renegotiation, where the active format list is freed while the capture thread continues using audin->format, leading to a use-after-free condition in the audio_format_compatible function.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. An unauthenticated remote attacker can trigger the flaw by initiating a Remote Desktop Protocol connection, causing a denial of service through application crash or instability due to the memory corruption.

The vulnerability is fixed in FreeRDP version 3.22.0. The patch commit is available at https://github.com/FreeRDP/FreeRDP/commit/026b81ae5831ac1598d8f7371e0d0996fac7db00, and further details are provided in the GitHub security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qh5p-frq4-pgxj. Security practitioners should update to 3.22.0 or later to mitigate the issue.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed…

more

in 3.22.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Use-after-free in FreeRDP's RDP/AUDIN handling allows unauthenticated remote network exploitation that directly crashes the application, mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24684Same product: Freerdp Freerdp
CVE-2026-24683Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-26986Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-23884Same product: Freerdp Freerdp
CVE-2026-24678Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.22.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of flaws like the use-after-free in FreeRDP by applying the patch in version 3.22.0 or later.

prevent

Implements memory safeguards such as ASLR, DEP, and stack canaries to mitigate exploitation of the use-after-free vulnerability causing application crashes.

detect

Requires vulnerability scanning and monitoring to identify systems running vulnerable FreeRDP versions prior to 3.22.0.

References