Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.
Published: 2026-02-25
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via client crash
Action: Immediate Patch
AI Analysis

Impact

A missing bounds check in the smartcard data unpacking routine can cause a reachable assertion failure, which triggers an abort in the client. The result is a crash of the FreeRDP client application, effectively denying the user RDP access. Because the crash occurs in the client, there is no modification of the server or elevation of privileges, but it hampers usability for the affected session.

Affected Systems

FreeRDP clients built with versions earlier than 3.23.0 that have smartcard redirection enabled are affected. The vulnerability is triggered only when the client connects to an RDP server that sends crafted smartcard data; it does not affect servers or clients that never enable smartcard support. All platforms that compile vanilla FreeRDP through the default build settings (which enable verbose WINPR assertions) are in scope, unless the build explicitly disables that assertion mechanism.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity, and the EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is listed in no KEV catalog, further indicating that it is not widely exploited. An attacker must control a malicious RDP server and convince a user’s client to enable smartcard redirection, so the attack requires both a server compromise and a user interaction. Nevertheless, the client crash can be used for a local denial–of–service attack against the target machine or to disrupt connectivity in a managed environment.

Generated by OpenCVE AI on April 17, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeRDP client to version 3.23.0 or later, which patches the bounds check in smartcard_unpack_read_size_align().
  • If an upgrade is not immediately possible, disable smartcard redirection in client connection options (e.g., avoid the /smartcard flag) or compile the client with the WITH_VERBOSE_WINPR_ASSERT option turned off, which removes the triggering assertion.
  • Verify that end users are not automatically connecting to untrusted RDP servers and educate them to enable smartcard redirection only after establishing a trusted session.

Generated by OpenCVE AI on April 17, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.
Title FreeRDP: Smartcard NDR Alignment Padding Triggers Reachable WINPR_ASSERT Abort (Client DoS)
Weaknesses CWE-617
References
Metrics cvssV4_0

{'score': 5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:49:52.553Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27015

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:43.203

Modified: 2026-02-27T14:48:24.293

Link: CVE-2026-27015

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:44:14Z

Links: CVE-2026-27015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses