Buffer Over-read in OpenSC - CVE-2025-66038
Published: April 2, 2026
Vulnerability identifier: #VU124851
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-66038
CWE-ID: CWE-126
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenSC
Affected software:
OpenSC
OpenSC
Detailed vulnerability description
The vulnerability allows an attacker with physical access to disclose sensitive information, modify memory, or cause a denial of service.
The vulnerability exists due to out-of-bounds pointer return in sc_compacttlv_find_tag when parsing crafted compact-TLV data from untrusted cards or files. An attacker with physical access can provide a specially crafted compact-TLV buffer to disclose sensitive information, modify memory, or cause a denial of service.
The issue occurs because the function can return a pointer past the end of the buffer together with an unchecked length value, which may lead to downstream memory corruption when subsequent code dereferences the returned pointer.
How to mitigate CVE-2025-66038
Install security update from vendor's website.