freerdp3: fix CVE-2026-24681

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24681

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24681.patch

@@ -0,0 +1,26 @@
+From 00579b7be58db6dc7bf70db4a005cfe9a9e73131 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 11:07:25 +0100
+Subject: [PATCH] [channels,urbdrc] cancel all usb transfers on channel close
+
+(cherry picked from commit 414f701464929c217f2509bcbd6d2c1f00f7ed73)
+
+CVE: CVE-2026-24681
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/414f701464929c217f2509bcbd6d2c1f00f7ed73]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ channels/urbdrc/client/libusb/libusb_udevice.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
+index ea12e55e0..0d0f54f0a 100644
+--- a/channels/urbdrc/client/libusb/libusb_udevice.c
++++ b/channels/urbdrc/client/libusb/libusb_udevice.c
+@@ -1125,6 +1125,7 @@ static void libusb_udev_mark_channel_closed(IUDEVICE* idev)
+ 		const uint8_t devNr = idev->get_dev_number(idev);
+ 
+ 		pdev->status |= URBDRC_DEVICE_CHANNEL_CLOSED;
++		pdev->iface.cancel_all_transfer_request(&pdev->iface);
+ 		urbdrc->udevman->unregister_udevice(urbdrc->udevman, busNr, devNr);
+ 	}
+ }

meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb

@@ -28,6 +28,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2026-24676.patch \
            file://CVE-2026-24679.patch \
            file://CVE-2026-24680_CVE-2026-27950.patch \
+           file://CVE-2026-24681.patch \
            "
 
 S = "${WORKDIR}/git"