{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-21T01:08:02.615Z", "datePublished": "2026-03-30T17:03:55.914Z", "dateUpdated": "2026-04-01T18:15:33.347Z"}, "containers": {"cna": {"title": "OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers", "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "lang": "en", "description": "CWE-126: Buffer Over-read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459"}, {"name": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c"}, {"name": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038"}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"version": "< 0.27.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:03:55.914Z"}, "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0."}], "source": {"advisory": "GHSA-72x5-fwjx-2459", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:15:18.318069Z", "id": "CVE-2025-66038", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:15:33.347Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66038", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:15:18.318069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:15:28.159Z"}}], "cna": {"title": "OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers", "source": {"advisory": "GHSA-72x5-fwjx-2459", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"status": "affected", "version": "< 0.27.0"}]}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459", "name": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c", "name": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038", "name": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-126", "description": "CWE-126: Buffer Over-read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:03:55.914Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66038", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:15:33.347Z", "dateReserved": "2025-11-21T01:08:02.615Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T17:03:55.914Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*", "matchCriteriaId": "D890677F-5379-4587-B8E7-D38B02AD525A", "versionEndExcluding": "0.27.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0."}, {"lang": "es", "value": "OpenSC es un conjunto de herramientas y middleware de c\u00f3digo abierto para tarjetas inteligentes. Antes de la versi\u00f3n 0.27.0, sc_compacttlv_find_tag busca una etiqueta dada en un b\u00fafer compact-TLV. En compact-TLV, un solo byte codifica la etiqueta (nibble superior) y la longitud del valor (nibble inferior). Con un b\u00fafer de 1 byte {0x0A}, el elemento codificado declara etiqueta=0 y longitud=10 pero no le siguen bytes de valor. Llamar a sc_compacttlv_find_tag con la etiqueta de b\u00fasqueda 0x00 devuelve un puntero igual a buf+1 y outlen=10 sin verificar que la longitud de valor declarada cabe dentro del b\u00fafer restante. En los casos en que a sc_compacttlv_find_tag se le proporcionan datos no confiables (como los le\u00eddos de tarjetas/archivos), los atacantes pueden influir en ella para que devuelva punteros fuera de los l\u00edmites, lo que lleva a una corrupci\u00f3n de memoria posterior cuando el c\u00f3digo subsiguiente intenta desreferenciar el puntero. Este problema ha sido corregido en la versi\u00f3n 0.27.0."}], "id": "CVE-2025-66038", "lastModified": "2026-04-01T17:40:36.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-30T18:16:18.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-126"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenSC: OpenSC: Memory corruption via improper compact-TLV length validation", "id": "2453118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453118"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.9", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-805", "details": ["A flaw was found in OpenSC, an open-source smart card tools and middleware. The `sc_compacttlv_find_tag` function, which searches compact-TLV (Tag-Length-Value) buffers, does not adequately verify the claimed value length against the remaining buffer size. This vulnerability allows attackers to provide specially crafted untrusted data, such as from smart cards or files, to influence the function to return pointers outside of the intended memory boundaries. Subsequent attempts to dereference these out-of-bounds pointers can lead to memory corruption, potentially impacting the stability and integrity of the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-66038", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T17:03:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66038\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66038\nhttps://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b51098fefbb3b28e44f0a79c\nhttps://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459\nhttps://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.27.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "opensc", "vendor": "opensc"}], "analysis": {"en": {"generated_at": "2026-04-02T02:35:40.128187+00:00", "value": {"mitigation_remediation": ["Upgrade OpenSC to version 0.27.0 or later."], "summary": {"action": "Apply Patch", "impact": "Out\u2011of\u2011bounds pointer that can cause memory corruption"}, "threat_synthesis": {"affected_systems": "OpenSC, Version 0.27.0 and earlier are affected. The issue was fixed in OpenSC\u202f0.27.0; no older product versions are listed in the CNA data.", "description_and_impact": "The vulnerability resides in the sc_compacttlv_find_tag function used by OpenSC before version 0.27.0. The function incorrectly interprets a compact\u2011TLV element\u2019s length field without verifying that the claimed length fits within the remaining buffer. When supplied with untrusted data, this flaw can produce a pointer that references beyond the legitimate buffer limits and an out\u2011of\u2011bounds length value, potentially leading to memory corruption during later access. The weakness is classified as CWE\u2011126 (Buffer Over-read) and CWE\u2011805 (Buffer Access with Incorrect Length Value).", "risk_and_exploitability": "The CVSS score is 3.9, indicating low to moderate severity. The EPSS score is less than 1\u202f%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via untrusted input, such as data read from smart cards or files manipulated by attackers. Exploitability requires the attacker to supply a crafted compact\u2011TLV buffer, which can be achieved when the smart card backend accepts arbitrary input."}}}}, "created": "2026-03-30T20:55:25.378623+00:00", "updated": "2026-04-03T09:11:13.652122+00:00", "vendors": ["opensc", "opensc$PRODUCT$opensc"]}