CVE-2026-24491

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24491
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24491.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-24491
Aliases
  • GHSA-4x6j-w49r-869g
Downstream
Related
Published
2026-02-09T18:13:44.302Z
Modified
2026-04-17T13:29:22.913646246Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
FreeRDP has a heap-use-after-free in video_timer
Details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.

Database specific 
{
    "cwe_ids": [
        "CWE-416"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24491.json"
}
References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type
GIT
Repo
https://github.com/freerdp/freerdp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e3ef4c71138f76516299cb3637d2d0c59b2a3737
Fixed
e02e052f6692550e539d10f99de9c35a23492db2
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.22.0"
        }
    ]
}

Affected versions

1.*
1.0-beta1
1.0-beta2
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9
2.*
2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-rc0
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1

Database specific

vanir_signatures 
[
    {
        "target": {
            "function": "dvcman_channel_close",
            "file": "channels/drdynvc/client/drdynvc_main.c"
        },
        "signature_type": "Function",
        "source": "https://github.com/freerdp/freerdp/commit/e02e052f6692550e539d10f99de9c35a23492db2",
        "id": "CVE-2026-24491-068dd9c5",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "150447063475564808531401900353407225605",
            "length": 1340.0
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/freerdp/freerdp/commit/e02e052f6692550e539d10f99de9c35a23492db2",
        "id": "CVE-2026-24491-2591c3a8",
        "target": {
            "file": "channels/drdynvc/client/drdynvc_main.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "19085630077178139754189507018731019505",
                "130932447383552362843890162708195565560",
                "5083833008545266748929200372956606617",
                "154386547398197987043670474083181185230",
                "257135706858272507437651268612105593791",
                "123189337732039713615434728059967356360",
                "197933030425391664242631355155026119607",
                "107208268041102050855248704935252035725",
                "204233901409492023643686250543053676405",
                "189455268364164066581566161466170593526",
                "125053366832890905343029810232994575217",
                "121813034594507783012956143508703911262",
                "172170180069735042953511859242377234107",
                "143920818290204756445860968991829411894",
                "198697218770388348292977964493595301396",
                "77203012685898765496484837077219981960",
                "292068621348264313998452081978466995086",
                "177846677568628819446641479928813024151"
            ]
        }
    },
    {
        "target": {
            "function": "dvcman_open_channel",
            "file": "channels/drdynvc/client/drdynvc_main.c"
        },
        "signature_type": "Function",
        "id": "CVE-2026-24491-be80b1cd",
        "source": "https://github.com/freerdp/freerdp/commit/e02e052f6692550e539d10f99de9c35a23492db2",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 546.0,
            "function_hash": "259016052461973279009365564504169604615"
        }
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24491.json"
vanir_signatures_modified 
"2026-04-16T14:50:15Z"