FreeRDP <3.23.0 Crash via smartcard_unpack Bounds Check (WINPR_ASSERT)
CVE-2026-27015 Published on February 25, 2026
FreeRDP: Smartcard NDR Alignment Padding Triggers Reachable WINPR_ASSERT Abort (Client DoS)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.
Weakness Type
What is an assertion failure Vulnerability?
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CVE-2026-27015 has been classified to as an assertion failure vulnerability or weakness.
Products Associated with CVE-2026-27015
Want to know whenever a new CVE is published for FreeRDP? stack.watch will email you.
Affected Versions
FreeRDP Version < 3.23.0 is affected by CVE-2026-27015Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.