VDB

DEBIAN-CVE-2026-24684

DEBIAN-CVE-2026-24684 PUBLISHED CVSS 7.5 HIGH

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:11freerdp22.10.0+dfsg1-1, *, *
Debian:13freerdp3*, 0, 3.15.0+dfsg-2.1
Debian:14freerdp33.17.2+dfsg, 3.17.2+dfsg, 3.17.1+dfsg
Debian:12freerdp22.11.2+dfsg1-1.1~exp1, 2.11.7+dfsg1, 2.11.7+dfsg1

Timeline

  • Feb 9, 2026 CVE Published
  • May 16, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›