{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24680", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T20:40:23.388Z", "datePublished": "2026-02-09T18:19:45.222Z", "dateUpdated": "2026-02-10T16:02:05.475Z"}, "containers": {"cna": {"title": "FreeRDP has a heap-use-after-free in update_pointer_new(SDL)", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc"}, {"name": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758"}], "affected": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"version": "< 3.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:19:45.222Z"}, "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, sdl_Pointer_New frees data on failure, then pointer_free calls sdl_Pointer_Free and frees it again, triggering ASan UAF. This vulnerability is fixed in 3.22.0."}], "source": {"advisory": "GHSA-j893-9wg8-33rc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:40:03.973263Z", "id": "CVE-2026-24680", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:02:05.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24680", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:40:03.973263Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:40:04.700Z"}}], "cna": {"title": "FreeRDP has a heap-use-after-free in update_pointer_new(SDL)", "source": {"advisory": "GHSA-j893-9wg8-33rc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"status": "affected", "version": "< 3.22.0"}]}], "references": [{"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc", "name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758", "name": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, sdl_Pointer_New frees data on failure, then pointer_free calls sdl_Pointer_Free and frees it again, triggering ASan UAF. This vulnerability is fixed in 3.22.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:19:45.222Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24680", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:02:05.475Z", "dateReserved": "2026-01-23T20:40:23.388Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T18:19:45.222Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E363251-2275-4F89-B397-67FE461B63A0", "versionEndExcluding": "3.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, sdl_Pointer_New frees data on failure, then pointer_free calls sdl_Pointer_Free and frees it again, triggering ASan UAF. This vulnerability is fixed in 3.22.0."}], "id": "CVE-2026-24680", "lastModified": "2026-02-10T15:06:48.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T19:15:49.477", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "freerdp: FreeRDP has a heap-use-after-free in update_pointer_new(SDL)", "id": "2438209", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438209"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-825", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-24680", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-09T18:19:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24680\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24680\nhttps://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758\nhttps://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc"], "statement": "Availability impact is limited to the FreeRDP instance on Red Hat Products. General system availability is not at risk.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.22.0)"}}], "product": "freerdp", "vendor": "freerdp"}], "analysis": {"en": {"generated_at": "2026-04-18T18:15:49.087649+00:00", "value": {"mitigation_remediation": ["Upgrade FreeRDP to version\u00a03.22.0 or later, which contains the fix for the heap\u2011use\u2011after\u2011free bug.", "Use an alternative RDP client that does not expose the vulnerable SDL pointer handling code path.", "Restrict remote desktop connections to trusted networks or enforce VPN usage, ensuring that only authenticated clients can establish RDP sessions."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the FreeRDP open\u2011source RDP implementation before version\u00a03.22.0. Users of any FreeRDP package that includes the SDL pointer handling path are vulnerable. The issue was addressed in release\u00a03.22.0; the commit that contains the fix is referenced in the advisory.", "description_and_impact": "FreeRDP employs a heap\u2011based use\u2011after\u2011free bug when processing SDL pointer updates. During sdl_Pointer_New a failure triggers a free, after which pointer_free attempts to free the same object again, leading to an ASan reported UAF. This flaw fits CWE\u2011416 and CWE\u2011825 and may allow a remote RDP client to corrupt memory, potentially executing arbitrary code on the target system.", "risk_and_exploitability": "The CVSS score is 8.7, indicating a high\u2011severity vulnerability, while the EPSS probability is below\u00a01% and the flaw is not in the CISA KEV list. Attackers could trigger the use\u2011after\u2011free by sending crafted pointer update messages from a remote RDP session or by exploiting a vulnerable client connecting to a target. Successful exploitation requires remote connectivity to the vulnerable program and the ability to induce the fault condition during pointer handling."}}}}, "created": "2026-02-10T11:35:23.054875+00:00", "updated": "2026-04-18T18:30:07.270785+00:00", "vendors": ["freerdp", "freerdp$PRODUCT$freerdp"]}