The Libykpiv library prior to version 1.6.0 contains an unchecked buffer, which could allow a buffer overflow. An attacker could use this to attempt to execute malicious code using a specifically crafted USB device masquerading as a YubiKey on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey. In the case of Yubico PIV Tool and YubiKey PIV Manager, malicious code would execute with the same privileges as the user who runs the library. For affected versions of the YubiKey Smart Card Minidriver, malicious code would execute with System level privileges.
Created yubico-piv-tool tracking bugs for this issue:
Affects: epel-7 [bug 1619710]