{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-21T01:08:02.615Z", "datePublished": "2026-03-30T17:03:55.914Z", "dateUpdated": "2026-04-01T18:15:33.347Z"}, "containers": {"cna": {"title": "OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers", "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "lang": "en", "description": "CWE-126: Buffer Over-read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459"}, {"name": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c"}, {"name": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038"}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"version": "< 0.27.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:03:55.914Z"}, "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0."}], "source": {"advisory": "GHSA-72x5-fwjx-2459", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:15:18.318069Z", "id": "CVE-2025-66038", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:15:33.347Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66038", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:15:18.318069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:15:28.159Z"}}], "cna": {"title": "OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers", "source": {"advisory": "GHSA-72x5-fwjx-2459", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"status": "affected", "version": "< 0.27.0"}]}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459", "name": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c", "name": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038", "name": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-126", "description": "CWE-126: Buffer Over-read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:03:55.914Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66038", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:15:33.347Z", "dateReserved": "2025-11-21T01:08:02.615Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T17:03:55.914Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*", "matchCriteriaId": "D890677F-5379-4587-B8E7-D38B02AD525A", "versionEndExcluding": "0.27.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0."}, {"lang": "es", "value": "OpenSC es un conjunto de herramientas y middleware de c\u00f3digo abierto para tarjetas inteligentes. Antes de la versi\u00f3n 0.27.0, sc_compacttlv_find_tag busca una etiqueta dada en un b\u00fafer compact-TLV. En compact-TLV, un solo byte codifica la etiqueta (nibble superior) y la longitud del valor (nibble inferior). Con un b\u00fafer de 1 byte {0x0A}, el elemento codificado declara etiqueta=0 y longitud=10 pero no le siguen bytes de valor. Llamar a sc_compacttlv_find_tag con la etiqueta de b\u00fasqueda 0x00 devuelve un puntero igual a buf+1 y outlen=10 sin verificar que la longitud de valor declarada cabe dentro del b\u00fafer restante. En los casos en que a sc_compacttlv_find_tag se le proporcionan datos no confiables (como los le\u00eddos de tarjetas/archivos), los atacantes pueden influir en ella para que devuelva punteros fuera de los l\u00edmites, lo que lleva a una corrupci\u00f3n de memoria posterior cuando el c\u00f3digo subsiguiente intenta desreferenciar el puntero. Este problema ha sido corregido en la versi\u00f3n 0.27.0."}], "id": "CVE-2025-66038", "lastModified": "2026-04-01T17:40:36.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-30T18:16:18.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-126"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenSC: OpenSC: Memory corruption via improper compact-TLV length validation", "id": "2453118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453118"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.9", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-805", "details": ["A flaw was found in OpenSC, an open-source smart card tools and middleware. The `sc_compacttlv_find_tag` function, which searches compact-TLV (Tag-Length-Value) buffers, does not adequately verify the claimed value length against the remaining buffer size. This vulnerability allows attackers to provide specially crafted untrusted data, such as from smart cards or files, to influence the function to return pointers outside of the intended memory boundaries. Subsequent attempts to dereference these out-of-bounds pointers can lead to memory corruption, potentially impacting the stability and integrity of the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-66038", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T17:03:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66038\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66038\nhttps://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c\nhttps://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459\nhttps://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-31T05:26:19.848761+00:00", "value": {"mitigation_remediation": ["Upgrade OpenSC to version 0.27.0 or newer.", "If immediate upgrade is not possible, restrict or sanitize untrusted smart\u2011card and file input before it reaches sc_compacttlv_find_tag.", "Monitor system logs for memory corruption or abnormal crashes and apply a future patch as soon as it becomes available."], "summary": {"action": "Patch", "impact": "Potential memory corruption from out-of-bounds pointer"}, "threat_synthesis": {"affected_systems": "Vendors and products affected include OpenSC:OpenSC, versions earlier than 0.27.0. Any installation of OpenSC that uses the vulnerable sc_compacttlv_find_tag routine, such as smart\u2011card readers, middleware, or file parsing utilities, is at risk. The vulnerability was patched in release 0.27.0, so systems running that version or newer are not affected. No further version information is listed, so the entire pre\u20110.27.0 family should be considered vulnerable.", "description_and_impact": "OpenSC is an open\u2011source smart\u2011card toolkit. Prior to version 0.27.0, the function sc_compacttlv_find_tag parses a compact\u2011TLV buffer that encodes a tag and a length in a single byte. When presented with a 1\u2011byte buffer such as {0x0A}, the routine interprets the low nibble as a length of ten bytes, yet no value bytes follow. The function then returns a pointer to buf+1 and an outlen of 10 without checking that the claimed length fits in the remaining buffer. If an attacker supplies untrusted data\u2014such as a card or file\u2014this can cause the routine to produce an out\u2011of\u2011bounds pointer, and later code that dereferences that pointer may corrupt memory, potentially leading to crashes or arbitrary code execution.", "risk_and_exploitability": "The CVSS score of 3.9 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the vulnerable function be invoked with untrusted data; the description indicates that data may come from smart\u2011card input or external files. Precise attack vector is not specified, but it can be inferred that an attacker who can supply card data or a file to the library could trigger the failure. Because the failure results in memory corruption, the overall risk depends on the context, but the moderate CVSS suggests exploitation is possible with some effort and is not highly likely under typical usage."}}}}, "created": "2026-03-30T20:55:25.378623+00:00", "updated": "2026-03-31T20:00:13.739787+00:00", "vendors": []}