{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27015", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T03:08:23.490Z", "datePublished": "2026-02-25T20:44:14.152Z", "dateUpdated": "2026-02-26T15:49:52.553Z"}, "containers": {"cna": {"title": "FreeRDP: Smartcard NDR Alignment Padding Triggers Reachable WINPR_ASSERT Abort (Client DoS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725"}, {"name": "https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244"}], "affected": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"version": "< 3.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T20:45:52.846Z"}, "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` \u2192 `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue."}], "source": {"advisory": "GHSA-7g72-39pq-4725", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:49:47.419476Z", "id": "CVE-2026-27015", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:49:52.553Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "matchCriteriaId": "31715854-6D23-4207-AB69-27707C7B2D42", "versionEndExcluding": "3.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` \u2192 `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue."}, {"lang": "es", "value": "FreeRDP es una implementaci\u00f3n gratuita del Protocolo de Escritorio Remoto. Antes de la versi\u00f3n 3.23.0, una comprobaci\u00f3n de l\u00edmites faltante en 'smartcard_unpack_read_size_align()' ('libfreerdp/utils/smartcard_pack.c:1703') permite a un servidor RDP malicioso bloquear el cliente FreeRDP a trav\u00e9s de un 'WINPR_ASSERT' ? 'abort()' alcanzable. El bloqueo ocurre en compilaciones upstream donde 'WITH_VERBOSE_WINPR_ASSERT=ON' (predeterminado en FreeRDP 3.22.0 / valores predeterminados actuales de WinPR CMake). La redirecci\u00f3n de tarjeta inteligente debe ser habilitada expl\u00edcitamente por el usuario (p. ej., 'xfreerdp /smartcard'; '/smartcard-logon' implica '/smartcard'). La versi\u00f3n 3.23.0 soluciona el problema."}], "id": "CVE-2026-27015", "lastModified": "2026-02-27T14:48:24.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T21:16:43.203", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "freerdp: FreeRDP: Denial of Service via missing bounds check in smartcard redirection", "id": "2442748", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442748"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27015", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-25T20:44:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27015\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27015\nhttps://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FreeRDP", "source": "cna", "vendor": "FreeRDP"}, "product": "freerdp", "vendor": "freerdp"}], "analysis": {"en": {"generated_at": "2026-04-17T14:52:08.050556+00:00", "value": {"mitigation_remediation": ["Upgrade the FreeRDP client to version 3.23.0 or later, which patches the bounds check in smartcard_unpack_read_size_align().", "If an upgrade is not immediately possible, disable smartcard redirection in client connection options (e.g., avoid the /smartcard flag) or compile the client with the WITH_VERBOSE_WINPR_ASSERT option turned off, which removes the triggering assertion.", "Verify that end users are not automatically connecting to untrusted RDP servers and educate them to enable smartcard redirection only after establishing a trusted session."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via client crash"}, "threat_synthesis": {"affected_systems": "FreeRDP clients built with versions earlier than 3.23.0 that have smartcard redirection enabled are affected. The vulnerability is triggered only when the client connects to an RDP server that sends crafted smartcard data; it does not affect servers or clients that never enable smartcard support. All platforms that compile vanilla FreeRDP through the default build settings (which enable verbose WINPR assertions) are in scope, unless the build explicitly disables that assertion mechanism.", "description_and_impact": "A missing bounds check in the smartcard data unpacking routine can cause a reachable assertion failure, which triggers an abort in the client. The result is a crash of the FreeRDP client application, effectively denying the user RDP access. Because the crash occurs in the client, there is no modification of the server or elevation of privileges, but it hampers usability for the affected session.", "risk_and_exploitability": "The CVSS score of 5 indicates moderate severity, and the EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is listed in no KEV catalog, further indicating that it is not widely exploited. An attacker must control a malicious RDP server and convince a user\u2019s client to enable smartcard redirection, so the attack requires both a server compromise and a user interaction. Nevertheless, the client crash can be used for a local denial\u2013of\u2013service attack against the target machine or to disrupt connectivity in a managed environment."}}}}, "created": "2026-02-26T13:14:34.025763+00:00", "updated": "2026-04-17T15:00:11.018667+00:00", "vendors": ["freerdp", "freerdp$PRODUCT$freerdp"]}