Skip to main content

FreeRDP CVE-2026-24678

HIGH
Use After Free (CWE-416)
2026-02-09 security-advisories@github.com
8.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable via malicious server (AV:N) but requires a use-after-free race plus the camera channel in use (AC:H); only a client crash, so C:N/I:N/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 05:53 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:52 vuln.today
v4 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 05:50 vuln.today
Analysis Updated
Jun 30, 2026 - 05:50 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:49 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:23 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 10, 2026 - 15:08 nvd
Patch available
CVE Published
Feb 09, 2026 - 19:15 nvd
HIGH 7.5

DescriptionCVE.org

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.

AnalysisAI

Denial-of-service in FreeRDP's camera redirection (rdpecam) client channel allows a malicious or compromised RDP server to crash connected clients running versions prior to 3.22.0. The capture thread continues sending sample responses through a channel callback that was already freed when the device channel closed, producing a use-after-free in ecam_channel_write. EPSS is low (0.02%), it is not on CISA KEV, and no public exploit identified at time of analysis, but an upstream fix and multiple distro advisories exist.

Technical ContextAI

FreeRDP is the predominant open-source implementation of Microsoft's Remote Desktop Protocol (RDP), embedded in clients such as Remmina, the Windows App, and shipped across enterprise Linux distributions (Red Hat, SUSE). The flaw lives in the RDP Video Capture virtual channel extension (MS-RDPECAM), implemented in channels/rdpecam/client/camera_device_main.c. The root cause is CWE-416 (Use After Free): a worker/capture thread asynchronously emits camera sample responses via a per-device channel callback, but on device channel close the callback object is freed without first stopping the active streams. The capture thread then dereferences and writes through the dangling callback in ecam_channel_write. The committed fix (f3ab1a16) iterates all ECAM_DEVICE_MAX_STREAMS and calls ecam_dev_stop_stream() inside ecam_dev_on_close(), ensuring streams are halted before the callback is released, closing the race.

RemediationAI

Vendor-released patch: FreeRDP 3.22.0 - upgrade to 3.22.0 or later as the primary fix (upstream commit f3ab1a16139036179d9852745fdade18fec11600, advisory https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6gvg-29wx-6v7h). For distribution packages, apply the corresponding errata: Red Hat https://access.redhat.com/errata/RHSA-2026:3068 and https://access.redhat.com/errata/RHSA-2026:4121, and SUSE https://www.suse.com/support/update/SUSE-SU-2026:0763/. If immediate patching is not possible, disable camera/webcam redirection in the FreeRDP client (do not pass the camera/video-capture channel, e.g. avoid enabling /camera or the rdpecam dynamic channel), which removes the vulnerable code path at the cost of losing local webcam passthrough into the remote session; additionally, only connect to trusted RDP servers, since a hostile or compromised server is what drives the malicious channel behavior.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Affected
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.43 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.67 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.57 Affected
Container suse/sl-micro/6.1/base-os-container:2.2.1-5.64 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed

Share

CVE-2026-24678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy