CVE-2026-27015 – A missing bounds check in FreeRDP's smartcard h... (How to Fix)

Q: What is the severity of CVE-2026-27015?

CVE-2026-27015 has a CVSS score of 6.5 (MEDIUM). A missing bounds check in FreeRDP's smartcard handling allows a malicious RDP server to crash the FreeRDP client via an assertion failure. This affects FreeRDP users who explicitly enable smartcard redirection when connecting to untrusted RDP servers. The vulnerability requires user interaction to enable the vulnerable feature.

📋 TL;DR

A missing bounds check in FreeRDP's smartcard handling allows a malicious RDP server to crash the FreeRDP client via an assertion failure. This affects FreeRDP users who explicitly enable smartcard redirection when connecting to untrusted RDP servers. The vulnerability requires user interaction to enable the vulnerable feature.

💻 Affected Systems

Products:

FreeRDP

Versions: Versions prior to 3.23.0

Operating Systems: All platforms running FreeRDP

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when smartcard redirection is explicitly enabled (e.g., using /smartcard or /smartcard-logon flags). Default builds with WITH_VERBOSE_WINPR_ASSERT=ON (default in 3.22.0) will crash via abort().

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing client application crash, potentially disrupting remote access sessions and causing data loss in unsaved work.

🟠

Likely Case

Client crash when connecting to a malicious RDP server with smartcard redirection enabled, requiring restart of the FreeRDP client.

🟢

If Mitigated

No impact if smartcard redirection is disabled or if connecting only to trusted RDP servers.

🌐 Internet-Facing: MEDIUM - Requires user to enable smartcard redirection and connect to malicious server, but RDP clients often connect to internet-facing systems.

🏢 Internal Only: LOW - Internal RDP servers are typically trusted, reducing attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Server-side controlled, requires client to connect with vulnerable configuration.

Exploitation requires the client to connect to a malicious RDP server with smartcard redirection enabled. The server must craft a malicious smartcard response.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.23.0

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725

Restart Required: Yes

Instructions:

1. Update FreeRDP to version 3.23.0 or later. 2. For package managers: Use your distribution's update command (apt update && apt upgrade freerdp2, yum update freerdp, etc.). 3. For source builds: Download latest release from GitHub and rebuild.

🔧 Temporary Workarounds

Disable smartcard redirection

all

Avoid using /smartcard or /smartcard-logon command-line options when connecting to untrusted RDP servers.

Do not add /smartcard or /smartcard-logon to xfreerdp command lines

Build without verbose assertions

linux

Compile FreeRDP with WITH_VERBOSE_WINPR_ASSERT=OFF to prevent abort() on assertion failure.

cmake -DWITH_VERBOSE_WINPR_ASSERT=OFF ...
make
make install

🧯 If You Can't Patch

Disable smartcard redirection entirely when connecting to untrusted RDP servers
Use alternative RDP clients for connections to untrusted servers

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version and if smartcard redirection is enabled in usage. Vulnerable if version < 3.23.0 and using /smartcard or /smartcard-logon.

Check Version:

xfreerdp --version

Verify Fix Applied:

Verify FreeRDP version is 3.23.0 or later: xfreerdp --version should show 3.23.0+

📡 Detection & Monitoring

Log Indicators:

Client crash logs with abort() calls
Assertion failure messages mentioning smartcard_unpack_read_size_align

Network Indicators:

RDP connections with smartcard redirection enabled to suspicious servers

SIEM Query:

Process termination: xfreerdp OR freerdp AND exit_code abnormal AND command_line contains /smartcard

📊 Metadata

CVE ID: CVE-2026-27015

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244 Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725 Exploit,Mitigation,Patch,Vendor Advisory
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725 Exploit,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27015, you might also want to check these: