CVE-2025-66215

NameCVE-2025-66215
DescriptionOpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow WRITE in card-oberthur. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
opensc (PTS)bullseye0.21.0-1vulnerable
bullseye (security)0.21.0-1+deb11u1vulnerable
bookworm0.23.0-0.3+deb12u2vulnerable
trixie0.26.1-2vulnerable
forky, sid0.27.0~rc2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openscsource(unstable)0.27.0~rc1-1

Notes

https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5fc-cw56-hwp2
https://github.com/OpenSC/OpenSC/pull/3436
https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66215
Fixed by: https://github.com/OpenSC/OpenSC/commit/a4bbf8a631537a4c0083b264095ed1cd36d307ab (0.27.0-rc1)
Fixed by: https://github.com/OpenSC/OpenSC/commit/56bc5e9575965461d99a274be45d71c18ab6eae0 (0.27.0-rc1)
Search for package or bug name: Reporting problems