EUVD-2025-209126

| CVE-2025-66037 LOW
2026-03-30 GitHub_M
3.9
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 30, 2026 - 17:36 vuln.today
EUVD ID Assigned
Mar 30, 2026 - 17:36 euvd
EUVD-2025-209126
CVE Published
Mar 30, 2026 - 17:01 nvd
LOW 3.9

Tags

Information Disclosure Buffer Overflow

Description

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, feeding a crafted input to the fuzz_pkcs15_reader harness causes OpenSC to perform an out-of-bounds heap read in the X.509/SPKI handling path. Specifically, sc_pkcs15_pubkey_from_spki_fields() allocates a zero-length buffer and then reads one byte past the end of that allocation. This issue has been patched in version 0.27.0.

Analysis

Out-of-bounds heap read in OpenSC prior to version 0.27.0 allows local attackers with physical access to smart card interfaces to trigger information disclosure and potential denial of service via crafted X.509/SPKI input to the pkcs15_reader function. The vulnerability stems from sc_pkcs15_pubkey_from_spki_fields() allocating a zero-length buffer and reading one byte beyond its bounds. No public exploit code or active exploitation has been identified; patch is available in version 0.27.0.

Technical Context

OpenSC is open-source middleware for interacting with smart cards and cryptographic tokens. The vulnerability resides in X.509 Subject Public Key Information (SPKI) parsing within the PKCS#15 reader component. The root cause is a classic out-of-bounds read (CWE-125) in sc_pkcs15_pubkey_from_spki_fields(), which allocates a zero-length heap buffer and immediately performs a one-byte read operation beyond the allocation boundary. This occurs during processing of crafted smart card or PKCS#15 container inputs, typically through the fuzz_pkcs15_reader harness. The physical attack vector (AV:P in CVSS) indicates the attacker must have direct or logical access to the smart card interface, such as through a card reader device or local system access.

Affected Products

OpenSC versions prior to 0.27.0 are affected, identified by CPE cpe:2.3:a:opensc:opensc:*:*:*:*:*:*:*:* with no specific upper bound stated prior to the patched release. Distributions and applications embedding OpenSC as a dependency (common in Linux systems with smart card support, HSM integrations, and PKI middleware) inherit this vulnerability. Exact version ranges depend on vendor rollup schedules; however, the patched version 0.27.0 is confirmed available from the OpenSC project. See GitHub security advisory at https://github.com/OpenSC/OpenSC/security/advisories/GHSA-m58q-rmjm-mmfx and CVE wiki at https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037 for distribution-specific timeline details.

Remediation

Vendor-released patch: upgrade to OpenSC version 0.27.0 or later. Users should apply this update through their distribution's package manager (e.g., apt-get update && apt-get upgrade opensc on Debian/Ubuntu, or equivalent for other systems) or download directly from https://github.com/OpenSC/OpenSC/releases. No workarounds are documented; mitigation relies on eliminating physical access to untrusted smart card readers or restricting PKCS#15 input sources to trusted card providers only. Applications using embedded or vendored copies of OpenSC should coordinate patching with their dependency management workflows and test thoroughly with their existing smart card configurations before deployment.

Priority Score

20
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +20
POC: 0

Vendor Status

Share

EUVD-2025-209126 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy