Executive Summary

CVE-2026-27015 is a vulnerability in FreeRDP versions up to 3.22.0 related to smartcard redirection. It occurs due to a missing bounds check in the function smartcard_unpack_read_size_align(), which handles alignment padding in smartcard data streams.

A malicious RDP server can send a specially crafted smartcard IOCTL packet with incorrect padding length that causes the FreeRDP client to perform an invalid stream seek operation. This triggers an assertion failure (WINPR_ASSERT) and causes the client process to abort (crash).

The vulnerability requires that smartcard redirection be explicitly enabled by the user. It leads to a remote denial of service (DoS) by crashing the client, but does not allow memory corruption or code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a malicious RDP server to remotely crash your FreeRDP client if you have smartcard redirection enabled.

The crash occurs immediately when processing a malformed smartcard IOCTL packet with improper alignment padding, resulting in a denial of service (DoS) condition.

There is no risk of memory corruption or control-flow hijacking, so the impact is limited to loss of client availability during the attack.

Exposure is limited to environments where smartcard redirection is used, and the user must opt-in to this feature.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring FreeRDP client crashes that occur when smartcard redirection is enabled (e.g., using the /smartcard or /smartcard-logon flags). The crash is triggered by a malicious RDP server sending a crafted SCARD_IOCTL_TRANSMIT packet with a non-4-byte multiple ioSendPci.cbExtraBytes field and truncated stream data, causing an assertion failure and abort.

To detect attempts to exploit this vulnerability on your network, you can capture and analyze RDP traffic for SCARD_IOCTL_TRANSMIT packets where the ioSendPci.cbExtraBytes field is not a multiple of 4 and the stream data is truncated or missing expected alignment padding.

Suggested commands include using packet capture tools like tcpdump or Wireshark to filter RDP traffic and inspect smartcard IOCTL packets. For example:

• tcpdump -i <interface> -w rdp_capture.pcap port 3389
• Use Wireshark to open rdp_capture.pcap and filter for smartcard IOCTL transmit packets (SCARD_IOCTL_TRANSMIT, IOCTL code 0x000900D0).
• Look for packets where the ioSendPci.cbExtraBytes field is not a multiple of 4 and check if the stream data ends prematurely without the required alignment padding.

Additionally, monitoring FreeRDP client logs for assertion failures or aborts related to smartcard_unpack_read_size_align() can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Disable smartcard redirection when connecting to untrusted or potentially malicious RDP servers, as the vulnerability requires smartcard redirection to be enabled.
• Upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by adding proper bounds checking and error handling in the smartcard_unpack_read_size_align() function.
• As a temporary workaround, rebuild FreeRDP with the build options -DWITH_VERBOSE_WINPR_ASSERT=OFF and -DNDEBUG to disable verbose asserts. This prevents the client from aborting on assertion failure, though it may cause other stream errors to be handled more gracefully.

Useful 0 Not Useful 0