Cyber Resilience

CVE-2026-24681

High

Published: 09 February 2026

Published
09 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 36.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24681 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-24681 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 3.22.0, asynchronous bulk transfer completions can invoke a freed channel callback after the URBDRC channel is closed, specifically in the urb_write_completion function. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Remote attackers with network access can exploit this vulnerability without authentication or user interaction by triggering the use-after-free during RDP sessions involving URBDRC channels. Successful exploitation leads to denial-of-service through application crashes, but does not enable confidentiality or integrity violations.

The vulnerability is fixed in FreeRDP version 3.22.0. The official patch is available in GitHub commit 414f701464929c217f2509bcbd6d2c1f00f7ed73, and further details are provided in the FreeRDP security advisory at GHSA-ccvv-hg2w-6x9j. Security practitioners should prioritize updating affected FreeRDP instances to mitigate this issue.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in…

more

3.22.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote network exploitation of UAF in FreeRDP (public-facing RDP service) directly enables application DoS via crafted URBDRC traffic.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24678Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-22857Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp
CVE-2026-26986Same product: Freerdp Freerdp
CVE-2026-24684Same product: Freerdp Freerdp
CVE-2026-24676Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.22.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like the use-after-free in FreeRDP prior to 3.22.0 to prevent remote DoS exploitation.

detect

Enables ongoing vulnerability scanning to identify systems running vulnerable FreeRDP versions affected by CVE-2026-24681.

detect

Provides system monitoring to detect indicators of exploitation such as application crashes from use-after-free during RDP URBDRC channel operations.

References