CVE-2025-66038

Description

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.

Risk Information

Base Score

3.9

MODERATE

Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score

Exploitation Probability

0.015

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2025-49010,CVE-2025-66037,CVE-2025-66038,CVE-2025-66215 are affected in OpenSC smartcard framework 0.26.9	Windows

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234