CVE-2026-24679 Overview
CVE-2026-24679 is an out-of-bounds read vulnerability in FreeRDP, the free implementation of the Remote Desktop Protocol. The vulnerability exists in the URBDRC (USB Redirection Virtual Channel) client component, specifically in the libusb_udev_select_interface function. Prior to version 3.22.0, server-supplied interface numbers were used as array indices without proper bounds validation, allowing an attacker to trigger out-of-bounds memory reads.
Critical Impact
A malicious RDP server could exploit this vulnerability to cause denial of service conditions by sending crafted interface numbers that trigger out-of-bounds memory access in connected FreeRDP clients.
Affected Products
- FreeRDP versions prior to 3.22.0
- Systems using URBDRC client for USB device redirection over RDP
- Applications built on the FreeRDP library with USB redirection enabled
Discovery Timeline
- 2026-02-09 - CVE-2026-24679 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-24679
Vulnerability Analysis
This vulnerability is classified as CWE-122 (Heap-based Buffer Overflow), manifesting as an out-of-bounds read condition. The flaw resides in the USB redirection channel client (channels/urbdrc/client/libusb/libusb_udevice.c), where the InterfaceNumber parameter provided by the server is used to index into the MsInterfaces array without first verifying that the value falls within the valid range of available interfaces.
When a FreeRDP client connects to a malicious or compromised RDP server with USB redirection enabled, the server can supply an arbitrary interface number. This number is then used to access memory outside the bounds of the allocated MsInterfaces array, potentially reading sensitive information from adjacent heap memory or causing the client to crash.
Root Cause
The root cause is a missing boundary check on the InterfaceNumber parameter before using it as an array index. The vulnerable code path directly accesses MsInterfaces[InterfaceNumber] without validating that InterfaceNumber < MsConfig->NumInterfaces. This allows an attacker-controlled value from the network to influence memory access patterns.
Attack Vector
The vulnerability is exploitable over the network when a victim FreeRDP client connects to a malicious RDP server. The attack requires the USB redirection feature (URBDRC) to be enabled on the client. An attacker operating a rogue RDP server can send crafted USB redirection messages containing invalid interface numbers, triggering the out-of-bounds read when the client processes these messages.
// Security patch in channels/urbdrc/client/libusb/libusb_udevice.c
// Source: https://github.com/FreeRDP/FreeRDP/commit/2d563a50be17c1b407ca448b1321378c0726dd31
int error = 0;
int diff = 0;
UDEVICE* pdev = (UDEVICE*)idev;
- URBDRC_PLUGIN* urbdrc = NULL;
- MSUSB_CONFIG_DESCRIPTOR* MsConfig = NULL;
- MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = NULL;
if (!pdev || !pdev->urbdrc)
return -1;
- urbdrc = pdev->urbdrc;
- MsConfig = pdev->MsConfig;
+ URBDRC_PLUGIN* urbdrc = pdev->urbdrc;
+ MSUSB_CONFIG_DESCRIPTOR* MsConfig = pdev->MsConfig;
if (MsConfig)
{
- MsInterfaces = MsConfig->MsInterfaces;
+ if (InterfaceNumber >= MsConfig->NumInterfaces)
+ return -2;
+
+ MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces;
if (MsInterfaces)
{
WLog_Print(urbdrc->log, WLOG_INFO,
The patch adds a critical bounds check: if (InterfaceNumber >= MsConfig->NumInterfaces) return -2; before accessing the MsInterfaces array, ensuring the interface number is within valid bounds.
Detection Methods for CVE-2026-24679
Indicators of Compromise
- Unexpected FreeRDP client crashes during RDP sessions with USB redirection enabled
- Memory access violations or segmentation faults in the libusb_udev_select_interface function
- Abnormal RDP traffic patterns with unusual URBDRC channel messages
- Core dumps indicating out-of-bounds access in the URBDRC client module
Detection Strategies
- Monitor FreeRDP client processes for abnormal termination or crash events
- Implement network intrusion detection rules for malformed URBDRC channel messages
- Enable debug logging in FreeRDP to capture interface number values in USB redirection requests
- Deploy endpoint detection to identify exploitation attempts targeting RDP clients
Monitoring Recommendations
- Enable comprehensive logging for FreeRDP client connections, particularly URBDRC channel activity
- Monitor for connections to unknown or untrusted RDP servers
- Implement alerting on FreeRDP process crashes or unexpected terminations
- Track USB redirection channel usage patterns for anomalies
How to Mitigate CVE-2026-24679
Immediate Actions Required
- Upgrade FreeRDP to version 3.22.0 or later immediately
- Disable USB redirection (/usb:dbg or URBDRC channel) if not required until patching is complete
- Restrict RDP connections to trusted servers only
- Review and audit existing FreeRDP deployments for vulnerable versions
Patch Information
The vulnerability has been fixed in FreeRDP version 3.22.0. The fix adds proper bounds validation for the InterfaceNumber parameter before using it as an array index. The specific commit addressing this issue is available in the FreeRDP GitHub repository. For detailed information about this security issue, refer to the GitHub Security Advisory GHSA-2jp4-67x6-gv7x.
Workarounds
- Disable USB redirection by not using the /usb: command-line option or removing URBDRC channel configuration
- Configure firewall rules to block RDP connections to untrusted servers
- Use network segmentation to isolate systems running vulnerable FreeRDP versions
- Implement application whitelisting to prevent connections to unknown RDP endpoints
# Configuration example
# Disable USB redirection in FreeRDP by omitting URBDRC channel
# Instead of:
# xfreerdp /v:server /usb:auto
# Use without USB redirection:
xfreerdp /v:server
# Or explicitly disable the URBDRC channel:
xfreerdp /v:server -urbdrc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
