CVE-2025-66038 — Buffer Over-read in Opensc

CWE-126 — Buffer Over-read CWE-805 — Buffer Access with Incorrect Length Value7 documents7 sources

Severity

6.8MEDIUMNVD

CNA3.9

EPSS

0.0%

top 94.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensc Opensc Project Opensc

Timeline

PublishedMar 30

Description

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits w…

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5opensc/opensc< 0.27.0

▶NVDopensc_project/opensc< 0.27.0

▶Debianopensc_project/opensc< 0.27.0~rc1-1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-66038: OpenSC is an open source smart card tools and middleware↗2026-03-30

▶

CVEList

OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers↗2026-03-30

▶

📋Vendor Advisories

Red Hat

OpenSC: OpenSC: Memory corruption via improper compact-TLV length validation↗2026-03-30

▶

Debian

CVE-2025-66038: opensc - OpenSC is an open source smart card tools and middleware. Prior to version 0.27....↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-66038 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-66038 opensc: OpenSC: Memory corruption via improper compact-TLV length validation [fedora-all]↗2026-03-30

▶