Opensc
Monthly
Buffer overflow in OpenSC's pkcs11-tool component (versions up to and including 0.26.1) exposes users of the key generation functionality to memory corruption when processing maliciously oversized PKCS#11 URI object IDs. An unauthenticated remote attacker can trigger the flaw in the test_kpgen_certwrite function, but exploitation requires passive user interaction and high attack complexity, reflected in the extremely low CVSS 4.0 score of 1.3 with impact limited to the vulnerable component only. Publicly available exploit code exists (E:P confirmed in CVSS vector), but no public exploit identified at time of analysis in CISA KEV, and real-world mass exploitation is significantly constrained by the required user participation and attack complexity.
Stack and heap buffer overruns in OpenSC's pkcs15-init tooling corrupt memory when processing a maliciously crafted PKCS#15 profile configuration file. Affected versions prior to 0.27.0 contain no length validation in the do_key_value() function before a memcpy into the fixed-size keybuf buffer, allowing overflow when a key value entry begins with '=' and exceeds sizeof(keybuf) bytes. Exploitation is severely constrained by a CVSS 4.0 score of 1.0 - physical access, high attack complexity, and user interaction are all required - and no public exploit or CISA KEV listing exists at time of analysis.
Stack buffer overflow in OpenSC's PIV card handler allows a physically present attacker to corrupt memory by presenting a crafted PIV smart card or USB device that returns a URL field exceeding 118 bytes in the Key History Object ASN.1 response, triggering the overflow in `piv_process_history()` within `src/libopensc/card-piv.c`. All OpenSC versions prior to 0.27.0-rc1 are affected; the vulnerability is confirmed by the vendor fix in commit 3f24f0b and PR #3558. With a CVSS 4.0 score of 1.0 (AV:P/AC:H/UI:P), exploitation is severely constrained by mandatory physical access and high attack complexity, with no CISA KEV listing and no public exploit identified at time of analysis.
Stack-buffer overflow in OpenSC's card-oberthur module (versions prior to 0.27.0) allows local attackers with physical access to trigger memory corruption via specially crafted APDU responses from a malicious USB device or smart card, potentially causing denial of service or limited information disclosure. The attack requires the user or administrator to actively use a token during the compromise window, and the vulnerability has been patched in version 0.27.0. No public exploit code or active exploitation has been confirmed at the time of analysis.
OpenSC before version 0.27.0 contains an out-of-bounds buffer read vulnerability in the sc_compacttlv_find_tag function that can return pointers beyond the allocated buffer bounds, leading to potential memory corruption when downstream code dereferences the returned pointer. The vulnerability affects OpenSC when processing untrusted compact-TLV data from smart cards or files, where a maliciously crafted single-byte element can claim a length exceeding the remaining buffer size without validation. While the CVSS score of 3.9 reflects the physical attack vector requirement (smartcard interaction) and high attack complexity, the memory corruption potential poses a notable risk in environments where OpenSC processes untrusted card data.
Out-of-bounds heap read in OpenSC prior to version 0.27.0 allows local attackers with physical access to smart card interfaces to trigger information disclosure and potential denial of service via crafted X.509/SPKI input to the pkcs15_reader function. The vulnerability stems from sc_pkcs15_pubkey_from_spki_fields() allocating a zero-length buffer and reading one byte beyond its bounds. No public exploit code or active exploitation has been identified; patch is available in version 0.27.0.
Stack buffer overflow in OpenSC's GET RESPONSE handler prior to version 0.27.0 allows local attackers with physical access to trigger memory corruption via specially crafted smart card or USB device responses to APDUs. The vulnerability requires user interaction and physical proximity, limiting its practical exploitability; however, it could enable local privilege escalation or information disclosure when an authorized user or administrator actively uses a token. No public exploit code or active exploitation has been confirmed.
Buffer overflow in OpenSC's pkcs11-tool component (versions up to and including 0.26.1) exposes users of the key generation functionality to memory corruption when processing maliciously oversized PKCS#11 URI object IDs. An unauthenticated remote attacker can trigger the flaw in the test_kpgen_certwrite function, but exploitation requires passive user interaction and high attack complexity, reflected in the extremely low CVSS 4.0 score of 1.3 with impact limited to the vulnerable component only. Publicly available exploit code exists (E:P confirmed in CVSS vector), but no public exploit identified at time of analysis in CISA KEV, and real-world mass exploitation is significantly constrained by the required user participation and attack complexity.
Stack and heap buffer overruns in OpenSC's pkcs15-init tooling corrupt memory when processing a maliciously crafted PKCS#15 profile configuration file. Affected versions prior to 0.27.0 contain no length validation in the do_key_value() function before a memcpy into the fixed-size keybuf buffer, allowing overflow when a key value entry begins with '=' and exceeds sizeof(keybuf) bytes. Exploitation is severely constrained by a CVSS 4.0 score of 1.0 - physical access, high attack complexity, and user interaction are all required - and no public exploit or CISA KEV listing exists at time of analysis.
Stack buffer overflow in OpenSC's PIV card handler allows a physically present attacker to corrupt memory by presenting a crafted PIV smart card or USB device that returns a URL field exceeding 118 bytes in the Key History Object ASN.1 response, triggering the overflow in `piv_process_history()` within `src/libopensc/card-piv.c`. All OpenSC versions prior to 0.27.0-rc1 are affected; the vulnerability is confirmed by the vendor fix in commit 3f24f0b and PR #3558. With a CVSS 4.0 score of 1.0 (AV:P/AC:H/UI:P), exploitation is severely constrained by mandatory physical access and high attack complexity, with no CISA KEV listing and no public exploit identified at time of analysis.
Stack-buffer overflow in OpenSC's card-oberthur module (versions prior to 0.27.0) allows local attackers with physical access to trigger memory corruption via specially crafted APDU responses from a malicious USB device or smart card, potentially causing denial of service or limited information disclosure. The attack requires the user or administrator to actively use a token during the compromise window, and the vulnerability has been patched in version 0.27.0. No public exploit code or active exploitation has been confirmed at the time of analysis.
OpenSC before version 0.27.0 contains an out-of-bounds buffer read vulnerability in the sc_compacttlv_find_tag function that can return pointers beyond the allocated buffer bounds, leading to potential memory corruption when downstream code dereferences the returned pointer. The vulnerability affects OpenSC when processing untrusted compact-TLV data from smart cards or files, where a maliciously crafted single-byte element can claim a length exceeding the remaining buffer size without validation. While the CVSS score of 3.9 reflects the physical attack vector requirement (smartcard interaction) and high attack complexity, the memory corruption potential poses a notable risk in environments where OpenSC processes untrusted card data.
Out-of-bounds heap read in OpenSC prior to version 0.27.0 allows local attackers with physical access to smart card interfaces to trigger information disclosure and potential denial of service via crafted X.509/SPKI input to the pkcs15_reader function. The vulnerability stems from sc_pkcs15_pubkey_from_spki_fields() allocating a zero-length buffer and reading one byte beyond its bounds. No public exploit code or active exploitation has been identified; patch is available in version 0.27.0.
Stack buffer overflow in OpenSC's GET RESPONSE handler prior to version 0.27.0 allows local attackers with physical access to trigger memory corruption via specially crafted smart card or USB device responses to APDUs. The vulnerability requires user interaction and physical proximity, limiting its practical exploitability; however, it could enable local privilege escalation or information disclosure when an authorized user or administrator actively uses a token. No public exploit code or active exploitation has been confirmed.