CVE-2025-66038

NameCVE-2025-66038
DescriptionOpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
opensc (PTS)bullseye0.21.0-1vulnerable
bullseye (security)0.21.0-1+deb11u1vulnerable
bookworm0.23.0-0.3+deb12u2vulnerable
trixie0.26.1-2vulnerable
forky, sid0.27.0~rc2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openscsource(unstable)0.27.0~rc1-1

Notes

https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459
Fixed by: https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c (0.27.0-rc1)
https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038
Search for package or bug name: Reporting problems