CVE-2026-24679
Published: 09 February 2026
Summary
CVE-2026-24679 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching FreeRDP to 3.22.0 or later directly implements the missing bounds checks on server-supplied interface numbers.
Requires validation of untrusted server-supplied interface numbers prior to using them as array indices in the URBDRC client to prevent out-of-bounds reads.
Vulnerability scanning identifies vulnerable FreeRDP versions prior to 3.22.0, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in FreeRDP client enables remote DoS via application crash (T1499.004 Application or System Exploitation) when connecting to a malicious RDP server; memory disclosure does not map cleanly to a specific technique.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
Deeper analysisAI
CVE-2026-24679 is a high-severity vulnerability (CVSS 9.1) affecting FreeRDP, an open-source implementation of the Remote Desktop Protocol, in versions prior to 3.22.0. The issue resides in the URBDRC client, which processes USB Redirection Channel data and uses server-supplied interface numbers directly as array indices without performing bounds checks. This leads to an out-of-bounds read in the libusb_udev_select_interface function, classified under CWE-122 (Heap-based Buffer Overflow).
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, no user interaction, and no special setup on the target. By crafting malicious RDP traffic with oversized or invalid interface numbers, an attacker connecting to a vulnerable FreeRDP client can trigger the out-of-bounds read, potentially resulting in sensitive memory disclosure (high confidentiality impact) or application crash and denial of service (high availability impact), while integrity remains unaffected.
The FreeRDP security advisory (GHSA-2jp4-67x6-gv7x) and the fixing commit (2d563a50be17c1b407ca448b1321378c0726dd31) confirm the vulnerability was addressed in version 3.22.0 by adding proper bounds validation on the server-supplied interface numbers before indexing the array. Security practitioners should prioritize updating FreeRDP clients to 3.22.0 or later to mitigate this risk.
Details
- CWE(s)