Severity by source
AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow WRITE in card-oberthur. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.
AnalysisAI
Stack-buffer overflow in OpenSC's card-oberthur module (versions prior to 0.27.0) allows local attackers with physical access to trigger memory corruption via specially crafted APDU responses from a malicious USB device or smart card, potentially causing denial of service or limited information disclosure. The attack requires the user or administrator to actively use a token during the compromise window, and the vulnerability has been patched in version 0.27.0. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
OpenSC is middleware for smart card and hardware token management on Unix-like and Windows systems. The vulnerability exists in the card-oberthur module, which handles APDU (Application Protocol Data Unit) communication with Oberthur smart card tokens. The root cause is classified as CWE-121 (Stack-based Buffer Overflow), indicating improper bounds checking when processing card responses. An attacker must craft a malicious USB device or compromise a smart card to respond with oversized data that exceeds stack buffer boundaries in the card-oberthur implementation. The affected CPE range cpe:2.3:a:opensc:opensc:*:*:*:*:*:*:*:* indicates all OpenSC versions prior to 0.27.0 are vulnerable.
RemediationAI
Vendor-released patch: OpenSC version 0.27.0. Users should upgrade to version 0.27.0 or later to receive the security fix. The patched version addresses the stack-buffer-overflow in card-oberthur by implementing proper bounds checking on APDU response handling. No workarounds are available for versions prior to 0.27.0. See the upstream advisory at https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5fc-cw56-hwp2 and the patch commit at https://github.com/OpenSC/OpenSC/commit/efd1d479832141bcf705c2f47655ada4d5f92f5d for technical details.
sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory leak, as demonstrated by a call from eidenv. Rated
Several buffer overflows when handling responses from a Gemsafe V1 Smartcard in gemsafe_get_cert_len in libopensc/pkcs15
Several buffer overflows when handling responses from a TCOS Card in tcos_select_file in libopensc/card-tcos.c in OpenSC
Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in O
A double free when handling responses from an HSM Card in sc_pkcs15emu_sc_hsm_init in libopensc/pkcs15-sc-hsm.c in OpenS
A double free when handling responses in read_file in tools/egk-tool.c (aka the eGK card tool) in OpenSC before 0.19.0-r
A double free when handling responses from a smartcard in sc_file_set_sec_attr in libopensc/sc.c in OpenSC before 0.19.0
A single byte buffer overflow when handling responses from an esteid Card in sc_pkcs15emu_esteid_init in libopensc/pkcs1
Several buffer overflows when handling responses from a CAC Card in cac_get_serial_nr_from_CUID in libopensc/card-cac.c
Several buffer overflows when handling responses from an ePass 2003 Card in decrypt_response in libopensc/card-epass2003
Several buffer overflows when handling responses from a Cryptoflex card in read_public_key in tools/cryptoflex-tool.c in
A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 coul
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209129