{"id":"CVE-2026-24684","summary":"FreeRDP has a Heap-use-after-free in play_thread","details":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.","aliases":["GHSA-vcgv-xgjp-h83q"],"modified":"2026-04-17T13:29:13.075219262Z","published":"2026-02-09T18:23:02.882Z","related":["ALSA-2026:6340","ALSA-2026:6799","ALSA-2026:6918","SUSE-SU-2026:0621-1","SUSE-SU-2026:0649-1","SUSE-SU-2026:0683-1","SUSE-SU-2026:0762-1","SUSE-SU-2026:0763-1","SUSE-SU-2026:1217-1","SUSE-SU-2026:1313-1","openSUSE-SU-2026:10132-1","openSUSE-SU-2026:10243-1","openSUSE-SU-2026:20320-1","openSUSE-SU-2026:20339-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24684.json","cwe_ids":["CWE-416"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24684.json"},{"type":"ADVISORY","url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vcgv-xgjp-h83q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24684"},{"type":"FIX","url":"https://github.com/FreeRDP/FreeRDP/commit/622bb7b4402491ca003f47472d0e478132673696"},{"type":"FIX","url":"https://github.com/FreeRDP/FreeRDP/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freerdp/freerdp","events":[{"introduced":"0"},{"fixed":"e3ef4c71138f76516299cb3637d2d0c59b2a3737"},{"fixed":"622bb7b4402491ca003f47472d0e478132673696"},{"fixed":"afa6851dc80835d3101e40fcef51b6c5c0f43ea5"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.22.0"}]}}],"versions":["1.0-beta1","1.0-beta2","1.0-beta4","1.0-beta5","1.0.0","1.0.1","1.1.0-beta+2013071101","1.1.0-beta1","1.1.0-beta1+android2","1.1.0-beta1+android3","1.1.0-beta1+android4","1.1.0-beta1+android5","1.1.0-beta1+ios1","1.1.0-beta1+ios2","1.1.0-beta1+ios3","1.1.0-beta1+ios4","1.2.0-beta1+android7","1.2.0-beta1+android9","2.0.0","2.0.0-beta1+android10","2.0.0-beta1+android11","2.0.0-rc0","2.0.0-rc1","2.0.0-rc2","2.0.0-rc3","2.0.0-rc4","3.0.0","3.0.0-beta1","3.0.0-beta2","3.0.0-beta3","3.0.0-beta4","3.0.0-rc0","3.1.0","3.2.0","3.3.0","3.4.0","3.5.0","3.5.1"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","source":"https://github.com/freerdp/freerdp/commit/622bb7b4402491ca003f47472d0e478132673696","target":{"file":"channels/rdpsnd/client/rdpsnd_main.c"},"signature_type":"Line","id":"CVE-2026-24684-04dc054f","deprecated":false,"digest":{"line_hashes":["320311572097518780728811796690758624893","63313115906129110613603736074651103162","252995033149960371784854936696007224435","251892371072136559332524716841156107958","19719109656483084241409752858554859877","194003495590992766253364700688203607408","68193414474714796645160746510110314578","96242589276501001945860564685030044658","16369215670143458953019668364696418258","52269026402565284959146308168088438373","45926920002663016220376242714041135741","115646349199840449234854566762657693779","318604811723192121977739358298625990627","197597468398426326336576493574895798418","154085855765673830825964478243039658654","232723898879576843949616419237326401151","155229659246709589556589146951976802594","322361078014306657792487772276356779078"],"threshold":0.9}},{"id":"CVE-2026-24684-412b0b48","source":"https://github.com/freerdp/freerdp/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5","target":{"function":"rdpsnd_on_close","file":"channels/rdpsnd/client/rdpsnd_main.c"},"digest":{"length":458,"function_hash":"187287917228835741502996038007000049623"},"signature_version":"v1","deprecated":false,"signature_type":"Function"},{"id":"CVE-2026-24684-442c31a4","source":"https://github.com/freerdp/freerdp/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5","target":{"file":"channels/rdpsnd/client/rdpsnd_main.c"},"digest":{"line_hashes":["158650745859759538054732966642555715374","220059047031435644099739552675008857830","149061543304787094717167172588115782651","231640037708081795038030515063324617042","27751596767051797689032896070749254005","106655397373767393942279322500654436708","170603701570050298245184642344954324562","283503911995970019461531422971657018428","199563303827472367387699989529099444094","151920330953649600554434681078166696684","308263786415631785324696121749277541150","272786670312294928299009176140057395693","192525922363290299890118614211487125924","263850499216555546488950018253922783287","192180000512607345559678858240692204346","14699380546755582834839524069987099867","53119164772464150795571683720100811188","234001515290492960903140451474802789906","322220897468406570225906618241032454072","302289110314026473955365982036701975464","40730029168693483988935596252225154217","304024487441903598773484435594034287126","92529018036430510866012033169494418713","58280072216853016401122820669502830895","294575685537791690108662010230703767269","74440445656508029343318275492637957002","177812014825339048525659459548572616578","140203262742005519881358572680483981554","59713215711525325236509902919812135959","257995105886385890001320079515517469397","117241529810881388551491823779495925199","156243537217900099081252868300914332846","236557653387658253561487188191732902453","54781338199766080718002914867799947751","155097969460831352884279245463850283050","218494638415341617319678628656091589688","128649465430073207204889883518658547202","142740948579247526669635837961699777991","109409051761415260199718184190214131887","279128872782703466090633407123111743383","302332787310250496116188001549063113988"],"threshold":0.9},"signature_version":"v1","deprecated":false,"signature_type":"Line"},{"digest":{"length":463,"function_hash":"151616889598604080158835697837567739471"},"source":"https://github.com/freerdp/freerdp/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5","target":{"function":"cleanup_internals","file":"channels/rdpsnd/client/rdpsnd_main.c"},"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2026-24684-520138e4"},{"digest":{"length":485,"function_hash":"306802294204057848151389251109194312969"},"source":"https://github.com/freerdp/freerdp/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5","target":{"function":"rdpsnd_virtual_channel_event_initialized","file":"channels/rdpsnd/client/rdpsnd_main.c"},"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2026-24684-5f2825d2"},{"signature_version":"v1","source":"https://github.com/freerdp/freerdp/commit/622bb7b4402491ca003f47472d0e478132673696","target":{"function":"rdpsnd_virtual_channel_event_terminated","file":"channels/rdpsnd/client/rdpsnd_main.c"},"signature_type":"Function","id":"CVE-2026-24684-8546c224","deprecated":false,"digest":{"length":438,"function_hash":"115192286120414010421354006218434689266"}},{"signature_type":"Function","source":"https://github.com/freerdp/freerdp/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5","target":{"function":"rdpsnd_virtual_channel_event_terminated","file":"channels/rdpsnd/client/rdpsnd_main.c"},"id":"CVE-2026-24684-ca76cfdb","digest":{"length":253,"function_hash":"233631403432229199530818229590477307388"},"deprecated":false,"signature_version":"v1"},{"digest":{"length":334,"function_hash":"255542198989332870352392289096625081400"},"source":"https://github.com/freerdp/freerdp/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5","target":{"function":"allocate_internals","file":"channels/rdpsnd/client/rdpsnd_main.c"},"signature_type":"Function","signature_version":"v1","deprecated":false,"id":"CVE-2026-24684-dc9e369b"},{"signature_version":"v1","source":"https://github.com/freerdp/freerdp/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5","target":{"function":"free_internals","file":"channels/rdpsnd/client/rdpsnd_main.c"},"signature_type":"Function","id":"CVE-2026-24684-f35b31b6","deprecated":false,"digest":{"length":281,"function_hash":"210195744027551469618217751163172847760"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24684.json","vanir_signatures_modified":"2026-04-16T14:50:16Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}