The reported issues are part of the card enrollment process using the pkcs15-init tool. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity. When buffers are partially filled with data, uninitialized parts of the buffer can be incorrectly accessed. The uninitialized variables were reflected in the following functions: - starcos_write_pukey - iasecc_sdo_parse - setcos_generate_key - sc_hsm_determine_free_id Originally reported by Matteo Marini (Sapienza University of Rome)