SB2026040263 - Multiple vulnerabilities in OpenSC
Published: April 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2025-66037)
The vulnerability allows an attacker with physical access to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to out-of-bounds read in sc_pkcs15_pubkey_from_spki_fields() in the X.509/SPKI handling path when parsing malformed X.509 certificate or SPKI data via the PIV/PKCS#15 reader path. An attacker with physical access can feed specially crafted certificate data to trigger an out-of-bounds heap read and disclose sensitive information, modify data, or cause a denial of service.
The issue occurs when a zero-length buffer is allocated and one byte is read past the end of that allocation. It is reachable through the shared certificate and public-key decoding logic, including the fuzz_pkcs15_reader and fuzz_pkcs15_crypt harnesses, and was observed as undefined behavior in a non-sanitized build under Valgrind.
2) Buffer Over-read (CVE-ID: CVE-2025-66038)
The vulnerability allows an attacker with physical access to disclose sensitive information, modify memory, or cause a denial of service.
The vulnerability exists due to out-of-bounds pointer return in sc_compacttlv_find_tag when parsing crafted compact-TLV data from untrusted cards or files. An attacker with physical access can provide a specially crafted compact-TLV buffer to disclose sensitive information, modify memory, or cause a denial of service.
The issue occurs because the function can return a pointer past the end of the buffer together with an unchecked length value, which may lead to downstream memory corruption when subsequent code dereferences the returned pointer.
3) Stack-based buffer overflow (CVE-ID: CVE-2025-66215)
The vulnerability allows an attacker with physical access to corrupt memory.
The vulnerability exists due to stack-based buffer overflow in the card-oberthur driver when processing specially crafted responses to APDUs from a crafted USB device or smart card. An attacker with physical access can present a crafted USB device or smart card to corrupt memory.
User interaction is required while a user or administrator uses a token, and the issue affects the oberthur card driver in libopensc.
4) Use of Uninitialized Variable (CVE-ID: CVE-2025-13763)
The vulnerability allows an attacker with physical access to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to use of uninitialized variable in libopensc when processing crafted input through the fuzz_pkcs15init harness. An attacker with physical access can supply crafted input that triggers use of uninitialized memory to disclose sensitive information, modify data, or cause a denial of service.
The advisory reports 6 use-of-uninitialized-memory cases in functions including sc_asn1_read_tag(), get_cert_len(), asn1_encode_entry(), find_macro(), build_argv(), iasecc_process_fci, and iasecc_sdo_parse(). The reported security relevance is limited, and exploitation requires physical access with high attack complexity according to the provided CVSS vector.
5) Stack-based buffer overflow (CVE-ID: CVE-2025-49010)
The vulnerability allows an attacker with physical access to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to a stack-based buffer overflow write in the GET RESPONSE handling in libopensc when processing specially crafted responses to APDU requests from a crafted USB device or smart card. An attacker with physical access can present a crafted USB device or smart card to trigger the overflow and disclose sensitive information, modify data, or cause a denial of service.
User interaction is required while a user or administrator is using a token, and the issue is considered high complexity.
Remediation
Install update from vendor's website.
References
- https://github.com/OpenSC/OpenSC/security/advisories/GHSA-m58q-rmjm-mmfx
- https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459
- https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5fc-cw56-hwp2
- https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66215
- https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv
- https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763
- https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4
- https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010