{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "b933ae18d9ad2a1d73c610868fcc30eb61654070" } ], "repo": "https://github.com/freerdp/freerdp", "type": "GIT" } ] } ], "aliases": [ "GHSA-7g72-39pq-4725" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-617" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27015.json" }, "details": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.", "id": "CVE-2026-27015", "modified": "2026-04-01T23:09:04.842199663Z", "published": "2026-02-25T20:44:14.152Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27015.json" }, { "type": "ADVISORY", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27015" }, { "type": "FIX", "url": "https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "type": "CVSS_V4" } ], "summary": "FreeRDP: Smartcard NDR Alignment Padding Triggers Reachable WINPR_ASSERT Abort (Client DoS)" }