CVE-2026-27015

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244	Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725	Exploit Mitigation Patch Vendor Advisory
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725	Exploit Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

History

27 Feb 2026, 14:48

Type	Values Removed	Values Added
CPE		cpe:2.3:a:freerdp:freerdp::::::::
First Time		Freerdp Freerdp freerdp
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244 -~~	() https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244 - Patch
References	~~() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725 -~~	() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725 - Exploit, Mitigation, Patch, Vendor Advisory

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.23.0, una comprobación de límites faltante en 'smartcard_unpack_read_size_align()' ('libfreerdp/utils/smartcard_pack.c:1703') permite a un servidor RDP malicioso bloquear el cliente FreeRDP a través de un 'WINPR_ASSERT' ? 'abort()' alcanzable. El bloqueo ocurre en compilaciones upstream donde 'WITH_VERBOSE_WINPR_ASSERT=ON' (predeterminado en FreeRDP 3.22.0 / valores predeterminados actuales de WinPR CMake). La redirección de tarjeta inteligente debe ser habilitada explícitamente por el usuario (p. ej., 'xfreerdp /smartcard'; '/smartcard-logon' implica '/smartcard'). La versión 3.23.0 soluciona el problema.

26 Feb 2026, 16:24

Type	Values Removed	Values Added
References	~~() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725 -~~	() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725 -

25 Feb 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-25 21:16

Updated : 2026-02-27 14:48

NVD link : CVE-2026-27015

Mitre link : CVE-2026-27015

CVE.ORG link : CVE-2026-27015

JSON object : View

Products Affected

freerdp

freerdp

CWE

CWE-617

Reachable Assertion

6.5 /10