diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24680_CVE-2026-27950.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24680_CVE-2026-27950.patch
new file mode 100644
index 0000000000..85179f74d9
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24680_CVE-2026-27950.patch
@@ -0,0 +1,24 @@
+From a2e077bc8dea8a7d1b16b98f31b6f6fbc00c0c24 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 11:01:17 +0100
+Subject: [PATCH] [client,sdl] reset pointer after memory release
+
+CVE: CVE-2026-24680 CVE-2026-27950
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ client/SDL/sdl_pointer.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/client/SDL/sdl_pointer.cpp b/client/SDL/sdl_pointer.cpp
+index ad8a4f316..a9203a20b 100644
+--- a/client/SDL/sdl_pointer.cpp
++++ b/client/SDL/sdl_pointer.cpp
+@@ -63,6 +63,7 @@ static BOOL sdl_Pointer_New(rdpContext* context, rdpPointer* pointer)
+ 	        &context->gdi->palette))
+ 	{
+ 		winpr_aligned_free(ptr->data);
++		ptr->data = nullptr;
+ 		return FALSE;
+ 	}
+ 
diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
index 031cb4a665..08b1fb25e4 100644
--- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2026-24675.patch \
            file://CVE-2026-24676.patch \
            file://CVE-2026-24679.patch \
+           file://CVE-2026-24680_CVE-2026-27950.patch \
            "
 
 S = "${WORKDIR}/git"