CVE-2026-24684
Published: 09 February 2026
Summary
CVE-2026-24684 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in FreeRDP client RDPSND handling allows remote unauthenticated attacker to crash the process via crafted RDP packets, directly enabling application exploitation for endpoint denial of service.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave.…
more
This vulnerability is fixed in 3.22.0.
Deeper analysisAI
CVE-2026-24684 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). The issue affects versions prior to 3.22.0 and occurs in the RDPSND (RDP Sound) async playback thread, where queued Protocol Data Units (PDUs) can be processed after the channel is closed and internal state is freed, specifically triggering the flaw in the rdpsnd_treat_wave function. This vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.
A remote attacker with network access to a vulnerable FreeRDP client can exploit this flaw without authentication or user interaction by sending specially crafted RDP packets that manipulate the RDPSND channel. Upon channel closure, the async thread may continue processing stale PDUs against freed memory, leading to a crash of the FreeRDP client process and causing a denial of service. No confidentiality or integrity impacts are possible, as the CVSS vector confirms.
The FreeRDP security advisory (GHSA-vcgv-xgjp-h83q) and related commits detail the fix implemented in version 3.22.0, with patches available at commit 622bb7b4402491ca003f47472d0e478132673696 and commit afa6851dc80835d3101e40fcef51b6c5c0f43ea5. Security practitioners should update FreeRDP clients to 3.22.0 or later to mitigate this issue, as no workarounds are specified in the provided references.
Details
- CWE(s)