Cyber Resilience

CVE-2026-24677

High

Published: 09 February 2026

Published
09 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24677 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Remote Desktop Protocol (T1021.001); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-24677 is a vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), affecting versions prior to 3.22.0. The issue resides in the ecam_encoder_compress_h264 function, which trusts server-controlled dimensions without validating the source buffer size. This leads to an out-of-bounds read in the sws_scale function. The vulnerability is classified under CWE-416 (Use After Free) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to high impacts on confidentiality and availability.

A remote attacker can exploit this vulnerability by operating a malicious RDP server. When a victim uses a vulnerable FreeRDP client to connect to the server, the attacker can send crafted dimensions during H.264 encoding, triggering the out-of-bounds read. No privileges or user interaction are required beyond initiating the connection, allowing network-accessible exploitation with low complexity. Successful exploitation can result in disclosure of sensitive memory contents from the client or denial of service via application crash.

The FreeRDP security advisory (GHSA-xw37-j744-f8v7) and the fixing commit (d2d4f449312ddafd4a4c6c8a4f856c7f0d44a3b5) confirm the issue was addressed in version 3.22.0 by adding proper buffer size validation. Security practitioners should update FreeRDP clients to 3.22.0 or later to mitigate the risk.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not validate the source buffer size, leading to an out-of-bounds read in sws_scale. This vulnerability is fixed in 3.22.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1021.001 Remote Desktop Protocol Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
Why these techniques?

Vulnerability in FreeRDP client directly enables exploitation (OOB read/memory disclosure or DoS) when a victim connects to a malicious RDP server, mapping to abuse of the Remote Desktop Protocol.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25952Same product: Freerdp Freerdp
CVE-2026-24681Same product: Freerdp Freerdp
CVE-2026-24678Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-22857Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-25953Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.22.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the out-of-bounds read flaw in FreeRDP prior to version 3.22.0 to prevent exploitation by malicious RDP servers.

detect

Vulnerability scanning identifies vulnerable FreeRDP client versions, enabling remediation before remote attackers trigger memory disclosure or crashes.

prevent

Memory protection mechanisms such as ASLR and DEP mitigate impacts of the out-of-bounds read by randomizing addresses and restricting code execution.

References