SB2026042088 - SUSE update for opensc
Published: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2025-49010)
The vulnerability allows an attacker with physical access to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to a stack-based buffer overflow write in the GET RESPONSE handling in libopensc when processing specially crafted responses to APDU requests from a crafted USB device or smart card. An attacker with physical access can present a crafted USB device or smart card to trigger the overflow and disclose sensitive information, modify data, or cause a denial of service.
User interaction is required while a user or administrator is using a token, and the issue is considered high complexity.
2) Out-of-bounds read (CVE-ID: CVE-2025-66037)
The vulnerability allows an attacker with physical access to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to out-of-bounds read in sc_pkcs15_pubkey_from_spki_fields() in the X.509/SPKI handling path when parsing malformed X.509 certificate or SPKI data via the PIV/PKCS#15 reader path. An attacker with physical access can feed specially crafted certificate data to trigger an out-of-bounds heap read and disclose sensitive information, modify data, or cause a denial of service.
The issue occurs when a zero-length buffer is allocated and one byte is read past the end of that allocation. It is reachable through the shared certificate and public-key decoding logic, including the fuzz_pkcs15_reader and fuzz_pkcs15_crypt harnesses, and was observed as undefined behavior in a non-sanitized build under Valgrind.
3) Buffer Over-read (CVE-ID: CVE-2025-66038)
The vulnerability allows an attacker with physical access to disclose sensitive information, modify memory, or cause a denial of service.
The vulnerability exists due to out-of-bounds pointer return in sc_compacttlv_find_tag when parsing crafted compact-TLV data from untrusted cards or files. An attacker with physical access can provide a specially crafted compact-TLV buffer to disclose sensitive information, modify memory, or cause a denial of service.
The issue occurs because the function can return a pointer past the end of the buffer together with an unchecked length value, which may lead to downstream memory corruption when subsequent code dereferences the returned pointer.
4) Stack-based buffer overflow (CVE-ID: CVE-2025-66215)
The vulnerability allows an attacker with physical access to corrupt memory.
The vulnerability exists due to stack-based buffer overflow in the card-oberthur driver when processing specially crafted responses to APDUs from a crafted USB device or smart card. An attacker with physical access can present a crafted USB device or smart card to corrupt memory.
User interaction is required while a user or administrator uses a token, and the issue affects the oberthur card driver in libopensc.
Remediation
Install update from vendor's website.