CVE-2025-49010

NameCVE-2025-49010
DescriptionOpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
opensc (PTS)bullseye0.21.0-1vulnerable
bullseye (security)0.21.0-1+deb11u1vulnerable
bookworm0.23.0-0.3+deb12u2vulnerable
trixie0.26.1-2vulnerable
forky, sid0.27.0~rc2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openscsource(unstable)0.27.0~rc1-1

Notes

https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4
https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010
Fixed by: https://github.com/OpenSC/OpenSC/commit/953986f65db61871bbbff72788d861d67d5140c6 (0.27.0-rc1)
Search for package or bug name: Reporting problems