CVE-2026-27015 | THREATINT

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.

PUBLISHED Reserved 2026-02-17 | Published 2026-02-25 | Updated 2026-02-26 | Assigner GitHub_M

MEDIUM: 5.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-617: Reachable Assertion

Product status

< 3.23.0

affected

References

github.com/...reeRDP/security/advisories/GHSA-7g72-39pq-4725 exploit

github.com/...reeRDP/security/advisories/GHSA-7g72-39pq-4725

github.com/...ommit/65d59d3b3c2f630f2ea862687ecf5f95f8115244

cve.org (CVE-2026-27015)

nvd.nist.gov (CVE-2026-27015)

Download JSON