OpenSC CVE-2025-13763

| EUVD-2025-209564 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-04-23 redhat
Information Disclosure Redhat Suse
5.7
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Apr 23, 2026 - 14:01 EUVD
Analysis Generated
Apr 23, 2026 - 13:15 vuln.today

DescriptionNVD

Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs

AnalysisAI

Uninitialized variable usage in OpenSC's libopensc library enables information disclosure and denial of service when processing specially crafted responses from malicious USB devices or smart cards. Attackers must physically present a crafted USB or smart card device to trigger the vulnerability, which reads uninitialized memory from the stack or heap, potentially exposing sensitive data or causing application crashes. No public exploit code has been identified at time of analysis.

Technical ContextAI

OpenSC is a middleware library that provides access to smart cards and hardware security tokens via standard interfaces. The vulnerability resides in libopensc, which handles Application Protocol Data Unit (APDU) communication with smart card readers and USB-based security devices. The flaw involves multiple instances of uninitialized variables-memory regions that are declared but not explicitly set before use. When processing specially crafted APDU responses from a malicious device, these uninitialized variables retain whatever data was previously stored in memory, leading to information leaks or undefined behavior. The CVSS vector indicates physical attack vector (AV:P), meaning an attacker must have direct access to the system's USB ports or card reader interface.

RemediationAI

Apply the patched version of OpenSC released by the OpenSC project (version and release date available in GHSA-2v44-fq35-98vv advisory at https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv). For Red Hat Enterprise Linux systems, apply security updates via the Red Hat Security Advisory corresponding to CVE-2025-13763 (reference: https://access.redhat.com/security/cve/CVE-2025-13763). No workarounds exist to disable the affected code path without losing smart card functionality. Interim risk reduction measures include physically restricting USB and card reader access to trusted administrators, disabling unused smart card reader hardware in BIOS/UEFI if the system does not require physical token authentication, and isolating systems running OpenSC in high-security environments from untrusted physical access. Each mitigation trades off functionality or convenience against risk, so organizations should prioritize patching rather than relying on compensating controls.

Vendor StatusVendor

Share

CVE-2025-13763 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy