CVE-2026-27015
Assertion Failure in FreeRDP Smartcard Component Causes Client Crash
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27015 is a vulnerability in FreeRDP versions up to 3.22.0 related to smartcard redirection. It occurs due to a missing bounds check in the function smartcard_unpack_read_size_align(), which handles alignment padding in smartcard data streams.
A malicious RDP server can send a specially crafted smartcard IOCTL packet with incorrect padding length that causes the FreeRDP client to perform an invalid stream seek operation. This triggers an assertion failure (WINPR_ASSERT) and causes the client process to abort (crash).
The vulnerability requires that smartcard redirection be explicitly enabled by the user. It leads to a remote denial of service (DoS) by crashing the client, but does not allow memory corruption or code execution.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a malicious RDP server to remotely crash your FreeRDP client if you have smartcard redirection enabled.
The crash occurs immediately when processing a malformed smartcard IOCTL packet with improper alignment padding, resulting in a denial of service (DoS) condition.
There is no risk of memory corruption or control-flow hijacking, so the impact is limited to loss of client availability during the attack.
Exposure is limited to environments where smartcard redirection is used, and the user must opt-in to this feature.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring FreeRDP client crashes that occur when smartcard redirection is enabled (e.g., using the /smartcard or /smartcard-logon flags). The crash is triggered by a malicious RDP server sending a crafted SCARD_IOCTL_TRANSMIT packet with a non-4-byte multiple ioSendPci.cbExtraBytes field and truncated stream data, causing an assertion failure and abort.
To detect attempts to exploit this vulnerability on your network, you can capture and analyze RDP traffic for SCARD_IOCTL_TRANSMIT packets where the ioSendPci.cbExtraBytes field is not a multiple of 4 and the stream data is truncated or missing expected alignment padding.
Suggested commands include using packet capture tools like tcpdump or Wireshark to filter RDP traffic and inspect smartcard IOCTL packets. For example:
- tcpdump -i <interface> -w rdp_capture.pcap port 3389
- Use Wireshark to open rdp_capture.pcap and filter for smartcard IOCTL transmit packets (SCARD_IOCTL_TRANSMIT, IOCTL code 0x000900D0).
- Look for packets where the ioSendPci.cbExtraBytes field is not a multiple of 4 and check if the stream data ends prematurely without the required alignment padding.
Additionally, monitoring FreeRDP client logs for assertion failures or aborts related to smartcard_unpack_read_size_align() can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Disable smartcard redirection when connecting to untrusted or potentially malicious RDP servers, as the vulnerability requires smartcard redirection to be enabled.
- Upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by adding proper bounds checking and error handling in the smartcard_unpack_read_size_align() function.
- As a temporary workaround, rebuild FreeRDP with the build options -DWITH_VERBOSE_WINPR_ASSERT=OFF and -DNDEBUG to disable verbose asserts. This prevents the client from aborting on assertion failure, though it may cause other stream errors to be handled more gracefully.