CVE-2026-24684

Source
https://cve.org/CVERecord?id=CVE-2026-24684
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24684.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-24684
Aliases
  • GHSA-vcgv-xgjp-h83q
Downstream
Related
Published
2026-02-09T18:23:02.882Z
Modified
2026-02-22T01:29:05.808987Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
FreeRDP has a Heap-use-after-free in play_thread
Details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsndtreatwave. This vulnerability is fixed in 3.22.0.

Database specific
{
    "cwe_ids": [
        "CWE-416"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24684.json"
}
References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type
GIT
Repo
https://github.com/freerdp/freerdp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*
1.0-beta1
1.0-beta2
1.0-beta3
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9
2.*
2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-rc0
3.1.0
3.10.0
3.10.1
3.10.2
3.10.3
3.11.0
3.11.1
3.12.0
3.13.0
3.14.0
3.14.1
3.15.0
3.16.0
3.17.0
3.17.1
3.17.2
3.18.0
3.19.0
3.19.1
3.2.0
3.20.0
3.20.1
3.20.2
3.21.0
3.3.0
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.7.0
3.9.0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24684.json"