CVE-2026-27015 MEDIUM

CVE-2026-27015: FreeRDP: Smartcard NDR Alignment Padding Triggers Reachable WINPR_ASSERT Abort (Client DoS)

Vendor Freerdp
Product FreeRDP
Weakness CWE-617
Published February 25, 2026
Last update February 26, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 26, 2026 Record updated