CVE-2026-24677
Published: 09 February 2026
Summary
CVE-2026-24677 is a critical-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Remote Desktop Protocol (T1021.001); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the out-of-bounds read flaw in FreeRDP prior to version 3.22.0 to prevent exploitation by malicious RDP servers.
Vulnerability scanning identifies vulnerable FreeRDP client versions, enabling remediation before remote attackers trigger memory disclosure or crashes.
Memory protection mechanisms such as ASLR and DEP mitigate impacts of the out-of-bounds read by randomizing addresses and restricting code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in FreeRDP client directly enables exploitation (OOB read/memory disclosure or DoS) when a victim connects to a malicious RDP server, mapping to abuse of the Remote Desktop Protocol.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not validate the source buffer size, leading to an out-of-bounds read in sws_scale. This vulnerability is fixed in 3.22.0.
Deeper analysisAI
CVE-2026-24677 is a vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), affecting versions prior to 3.22.0. The issue resides in the ecam_encoder_compress_h264 function, which trusts server-controlled dimensions without validating the source buffer size. This leads to an out-of-bounds read in the sws_scale function. The vulnerability is classified under CWE-416 (Use After Free) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to high impacts on confidentiality and availability.
A remote attacker can exploit this vulnerability by operating a malicious RDP server. When a victim uses a vulnerable FreeRDP client to connect to the server, the attacker can send crafted dimensions during H.264 encoding, triggering the out-of-bounds read. No privileges or user interaction are required beyond initiating the connection, allowing network-accessible exploitation with low complexity. Successful exploitation can result in disclosure of sensitive memory contents from the client or denial of service via application crash.
The FreeRDP security advisory (GHSA-xw37-j744-f8v7) and the fixing commit (d2d4f449312ddafd4a4c6c8a4f856c7f0d44a3b5) confirm the issue was addressed in version 3.22.0 by adding proper buffer size validation. Security practitioners should update FreeRDP clients to 3.22.0 or later to mitigate the risk.
Details
- CWE(s)