CVE-2026-24678

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/FreeRDP/FreeRDP/commit/f3ab1a16139036179d9852745fdade18fec11600	Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6gvg-29wx-6v7h	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:23

Type	Values Removed	Values Added
Summary		(es) FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.22.0, un hilo de captura envía respuestas de muestra utilizando una devolución de llamada de canal liberado después del cierre de un canal de dispositivo, lo que lleva a un uso después de la liberación en ecam_channel_write. Esta vulnerabilidad está corregida en la versión 3.22.0.

10 Feb 2026, 15:08

Type	Values Removed	Values Added
First Time		Freerdp Freerdp freerdp
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/FreeRDP/FreeRDP/commit/f3ab1a16139036179d9852745fdade18fec11600 -~~	() https://github.com/FreeRDP/FreeRDP/commit/f3ab1a16139036179d9852745fdade18fec11600 - Patch
References	~~() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6gvg-29wx-6v7h -~~	() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6gvg-29wx-6v7h - Patch, Vendor Advisory
CPE		cpe:2.3:a:freerdp:freerdp::::::::

09 Feb 2026, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 19:15

Updated : 2026-06-17 10:23

NVD link : CVE-2026-24678

Mitre link : CVE-2026-24678

CVE.ORG link : CVE-2026-24678

JSON object : View

Products Affected

freerdp

freerdp

CWE

CWE-416

Use After Free

{"id": "CVE-2026-24678", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-24678", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:40:06.900664Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"status": "affected", "version": "< 3.22.0"}]}]}], "published": "2026-02-09T19:15:49.190", "references": [{"url": "https://github.com/FreeRDP/FreeRDP/commit/f3ab1a16139036179d9852745fdade18fec11600", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6gvg-29wx-6v7h", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0."}, {"lang": "es", "value": "FreeRDP es una implementaci\u00f3n gratuita del Protocolo de Escritorio Remoto. Antes de la versi\u00f3n 3.22.0, un hilo de captura env\u00eda respuestas de muestra utilizando una devoluci\u00f3n de llamada de canal liberado despu\u00e9s del cierre de un canal de dispositivo, lo que lleva a un uso despu\u00e9s de la liberaci\u00f3n en ecam_channel_write. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.22.0."}], "lastModified": "2026-06-17T10:23:24.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E363251-2275-4F89-B397-67FE461B63A0", "versionEndExcluding": "3.22.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}