CVE-2026-24684

EUVD-2026-6491
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
freerdpfreerdp
𝑥
< 3.22.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
freerdp2
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
vulnerable
trixie
no-dsa
freerdp3
bookworm
no-dsa
forky
3.22.0+dfsg-3
fixed
sid
3.22.0+dfsg-3
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/FreeRDP/FreeRDP/commit/622bb7b4402491ca003f47472d0e478132673696
https://github.com/FreeRDP/FreeRDP/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vcgv-xgjp-h83q