CVE-2026-27015

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27015
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27015.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-27015
Aliases
  • GHSA-7g72-39pq-4725
Downstream
Published
2026-02-25T20:44:14.152Z
Modified
2026-04-11T03:29:18.325228Z
Severity
  • 5.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
FreeRDP: Smartcard NDR Alignment Padding Triggers Reachable WINPR_ASSERT Abort (Client DoS)
Details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in smartcard_unpack_read_size_align() (libfreerdp/utils/smartcard_pack.c:1703) allows a malicious RDP server to crash the FreeRDP client via a reachable WINPR_ASSERTabort(). The crash occurs in upstream builds where WITH_VERBOSE_WINPR_ASSERT=ON (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., xfreerdp /smartcard; /smartcard-logon implies /smartcard). Version 3.23.0 fixes the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-617"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27015.json"
}
References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type
GIT
Repo
https://github.com/freerdp/freerdp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b933ae18d9ad2a1d73c610868fcc30eb61654070
Fixed
65d59d3b3c2f630f2ea862687ecf5f95f8115244
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.23.0"
        }
    ]
}

Affected versions

1.*
1.0-beta1
1.0-beta2
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9
2.*
2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-rc0
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1

Database specific

vanir_signatures_modified 
"2026-04-11T03:29:18Z"
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27015.json"
vanir_signatures 
[
    {
        "target": {
            "function": "smartcard_unpack_transmit_call",
            "file": "libfreerdp/utils/smartcard_pack.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 5356.0,
            "function_hash": "249720768176120812831315480396588295080"
        },
        "id": "CVE-2026-27015-0dad0f98",
        "source": "https://github.com/freerdp/freerdp/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244",
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "smartcard_pack_write_size_align",
            "file": "libfreerdp/utils/smartcard_pack.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 405.0,
            "function_hash": "49324342168807349420317225241822187794"
        },
        "id": "CVE-2026-27015-73f77e97",
        "source": "https://github.com/freerdp/freerdp/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244",
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "smartcard_ndr_read_ex",
            "file": "libfreerdp/utils/smartcard_pack.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 1878.0,
            "function_hash": "13717206073661472017560020459944956386"
        },
        "id": "CVE-2026-27015-7d843002",
        "source": "https://github.com/freerdp/freerdp/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "libfreerdp/utils/smartcard_pack.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "49062902611032142872430595541952237215",
                "101119164304543650237786689657180939639",
                "259432921642292607835187741648161089254",
                "33152744507043612731734638928103545463",
                "267570237703131139047020342392496968720",
                "290351939436088060841628303463161773981",
                "54811845554797339153523965492075205341",
                "220554179869516830966414692831915598286",
                "48200228474497942971011073341993962972",
                "246494769594298249368006423759170099131",
                "23692947918821360669569594321055935447",
                "280753457785111199995423954614382215231",
                "228779694103744265492655278797853498811",
                "134590940223276799457098032112384670892",
                "140899171716289293396488485460445500941",
                "289511441888475779176802933210851252740",
                "54811845554797339153523965492075205341",
                "220554179869516830966414692831915598286",
                "48200228474497942971011073341993962972",
                "51958407260722885305949848775393791597",
                "145361581686652690623762497893617969985",
                "141666735786874443454233492416136249769",
                "285270250027585897963563952709346137815",
                "104801202021015109184091576497198590611",
                "196634646826967230641403448120084228484",
                "25067253159767318617643774051620606786",
                "189518081931135115861369657336619555491",
                "193455241254515112551700518533074594260",
                "301653198004121417173214663612466923363"
            ]
        },
        "id": "CVE-2026-27015-93db84ef",
        "source": "https://github.com/freerdp/freerdp/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244",
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "smartcard_unpack_read_size_align",
            "file": "libfreerdp/utils/smartcard_pack.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 225.0,
            "function_hash": "107273465921364823511672685695438411212"
        },
        "id": "CVE-2026-27015-a9d2108d",
        "source": "https://github.com/freerdp/freerdp/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244",
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "smartcard_irp_device_control_decode",
            "file": "libfreerdp/utils/smartcard_operations.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 5865.0,
            "function_hash": "26164289608221616998368509404083771207"
        },
        "id": "CVE-2026-27015-c9d5338a",
        "source": "https://github.com/freerdp/freerdp/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "libfreerdp/utils/smartcard_operations.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "76008029643167808644104197964172399478",
                "24796429467790723759154911295355172044",
                "134682107549982568868867559178026932391",
                "207599937798754946476253502693104897051"
            ]
        },
        "id": "CVE-2026-27015-e3580c3c",
        "source": "https://github.com/freerdp/freerdp/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244",
        "signature_type": "Line"
    }
]