NULL pointer dereference in FreeRDP - #VU137842
Published: July 16, 2026
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smartcard request cleanup helpers free_reader_states_a/w in FreeRDP smartcard Device Control request handling when processing a malformed smartcard Device Control request that fails during rgReaderStates decoding after a remote-controlled cReaders value is set. A remote attacker can send a specially crafted smartcard Device Control request to cause a denial of service.
The issue is triggered during cleanup of a partially decoded smartcard operation when rgReaderStates remains NULL and cReaders is greater than zero. Smartcard redirection or smartcard proxy handling must be enabled in the affected path.