SB2026040271 - Fedora 43 update for opensc

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040271

SB2026040271 - Fedora 43 update for opensc

Published: April 2, 2026

Security Bulletin ID SB2026040271
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Physical access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2025-66037)

The vulnerability allows an attacker with physical access to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to out-of-bounds read in sc_pkcs15_pubkey_from_spki_fields() in the X.509/SPKI handling path when parsing malformed X.509 certificate or SPKI data via the PIV/PKCS#15 reader path. An attacker with physical access can feed specially crafted certificate data to trigger an out-of-bounds heap read and disclose sensitive information, modify data, or cause a denial of service.

The issue occurs when a zero-length buffer is allocated and one byte is read past the end of that allocation. It is reachable through the shared certificate and public-key decoding logic, including the fuzz_pkcs15_reader and fuzz_pkcs15_crypt harnesses, and was observed as undefined behavior in a non-sanitized build under Valgrind.


2) Stack-based buffer overflow (CVE-ID: CVE-2025-49010)

The vulnerability allows an attacker with physical access to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to a stack-based buffer overflow write in the GET RESPONSE handling in libopensc when processing specially crafted responses to APDU requests from a crafted USB device or smart card. An attacker with physical access can present a crafted USB device or smart card to trigger the overflow and disclose sensitive information, modify data, or cause a denial of service.

User interaction is required while a user or administrator is using a token, and the issue is considered high complexity.


3) Stack-based buffer overflow (CVE-ID: CVE-2025-66215)

The vulnerability allows an attacker with physical access to corrupt memory.

The vulnerability exists due to stack-based buffer overflow in the card-oberthur driver when processing specially crafted responses to APDUs from a crafted USB device or smart card. An attacker with physical access can present a crafted USB device or smart card to corrupt memory.

User interaction is required while a user or administrator uses a token, and the issue affects the oberthur card driver in libopensc.


4) Buffer Over-read (CVE-ID: CVE-2025-66038)

The vulnerability allows an attacker with physical access to disclose sensitive information, modify memory, or cause a denial of service.

The vulnerability exists due to out-of-bounds pointer return in sc_compacttlv_find_tag when parsing crafted compact-TLV data from untrusted cards or files. An attacker with physical access can provide a specially crafted compact-TLV buffer to disclose sensitive information, modify memory, or cause a denial of service.

The issue occurs because the function can return a pointer past the end of the buffer together with an unchecked length value, which may lead to downstream memory corruption when subsequent code dereferences the returned pointer.


Remediation

Install update from vendor's website.

References