EUVD-2025-209127CVSS Vector
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.
Analysis
OpenSC before version 0.27.0 contains an out-of-bounds buffer read vulnerability in the sc_compacttlv_find_tag function that can return pointers beyond the allocated buffer bounds, leading to potential memory corruption when downstream code dereferences the returned pointer. The vulnerability affects OpenSC when processing untrusted compact-TLV data from smart cards or files, where a maliciously crafted single-byte element can claim a length exceeding the remaining buffer size without validation. While the CVSS score of 3.9 reflects the physical attack vector requirement (smartcard interaction) and high attack complexity, the memory corruption potential poses a notable risk in environments where OpenSC processes untrusted card data.
Technical Context
OpenSC is middleware for smart card operations that handles Compact-TLV (Tag-Length-Value) encoded data, a format where a single byte encodes both the tag in the high nibble and value length in the low nibble. The sc_compacttlv_find_tag function is responsible for searching compact-TLV buffers for a specified tag. The root cause (CWE-126: Buffer Over-read) stems from inadequate bounds checking: when processing a buffer like {0x0A}, the function decodes this as tag=0x0 with claimed length=10 bytes, but returns a pointer (buf+1) without verifying that 10 bytes of data actually exist in the remaining buffer. This causes the function to return out-of-bounds pointers that, when dereferenced by calling code, can read from or corrupt memory beyond the intended buffer allocation.
Affected Products
OpenSC prior to version 0.27.0 is affected, as indicated by CPE cpe:2.3:a:opensc:opensc:*:*:*:*:*:*:*:*. All versions before 0.27.0 contain the vulnerable sc_compacttlv_find_tag function. The vulnerability is present in any installation or integration of OpenSC that processes compact-TLV data from smart cards, PKI middleware using OpenSC, or applications embedding the OpenSC library. Vendor security advisory is available at https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459 and the project wiki at https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038.
Remediation
Vendor-released patch: OpenSC version 0.27.0 or later. Organizations using OpenSC should upgrade to 0.27.0 immediately, which includes the fix committed at 6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c that adds proper bounds validation in sc_compacttlv_find_tag to ensure claimed value lengths do not exceed remaining buffer size. For systems unable to upgrade immediately, limit OpenSC exposure by restricting processing to trusted smart cards and avoiding untrusted card data sources where possible. Consult the vendor advisory at https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459 for distribution-specific guidance and patch availability.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today