CVE-2026-24684
Published: 09 February 2026
Summary
CVE-2026-24684 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-24684 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). The issue affects versions prior to 3.22.0 and occurs in the RDPSND (RDP Sound) async playback thread, where queued Protocol Data Units (PDUs) can be processed after the channel is closed and internal state is freed, specifically triggering the flaw in the rdpsnd_treat_wave function. This vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.
A remote attacker with network access to a vulnerable FreeRDP client can exploit this flaw without authentication or user interaction by sending specially crafted RDP packets that manipulate the RDPSND channel. Upon channel closure, the async thread may continue processing stale PDUs against freed memory, leading to a crash of the FreeRDP client process and causing a denial of service. No confidentiality or integrity impacts are possible, as the CVSS vector confirms.
The FreeRDP security advisory (GHSA-vcgv-xgjp-h83q) and related commits detail the fix implemented in version 3.22.0, with patches available at commit 622bb7b4402491ca003f47472d0e478132673696 and commit afa6851dc80835d3101e40fcef51b6c5c0f43ea5. Security practitioners should update FreeRDP clients to 3.22.0 or later to mitigate this issue, as no workarounds are specified in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6491
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave.…
more
This vulnerability is fixed in 3.22.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in FreeRDP client RDPSND handling allows remote unauthenticated attacker to crash the process via crafted RDP packets, directly enabling application exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching of the use-after-free vulnerability in FreeRDP's RDPSND async thread as fixed in version 3.22.0.
Provides memory protection mechanisms such as ASLR and DEP that mitigate exploitation of the use-after-free leading to client crashes.
Enables vulnerability scanning to identify deployments of vulnerable FreeRDP versions affected by CVE-2026-24684.