CVE-2025-66038 (GCVE-0-2025-66038)
Vulnerability from cvelistv5
Published
2026-03-30 17:03
Modified
2026-04-01 18:15
Severity ?
3.9 (Low) - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
Summary
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.
References
Impacted products
Vendor Product Version
OpenSC OpenSC Version: < 0.27.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66038",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T18:15:18.318069Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T18:15:33.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSC",
          "vendor": "OpenSC",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.27.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-126",
              "description": "CWE-126: Buffer Over-read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T17:03:55.914Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459"
        },
        {
          "name": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c"
        },
        {
          "name": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038"
        }
      ],
      "source": {
        "advisory": "GHSA-72x5-fwjx-2459",
        "discovery": "UNKNOWN"
      },
      "title": "OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66038",
    "datePublished": "2026-03-30T17:03:55.914Z",
    "dateReserved": "2025-11-21T01:08:02.615Z",
    "dateUpdated": "2026-04-01T18:15:33.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66038\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T18:15:18.318069Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T18:15:28.159Z\"}}], \"cna\": {\"title\": \"OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers\", \"source\": {\"advisory\": \"GHSA-72x5-fwjx-2459\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.9, \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"OpenSC\", \"product\": \"OpenSC\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.27.0\"}]}], \"references\": [{\"url\": \"https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459\", \"name\": \"https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c\", \"name\": \"https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038\", \"name\": \"https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-126\", \"description\": \"CWE-126: Buffer Over-read\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-30T17:03:55.914Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66038\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T18:15:33.347Z\", \"dateReserved\": \"2025-11-21T01:08:02.615Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-30T17:03:55.914Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.