2453118 – (CVE-2025-66038) CVE-2025-66038 OpenSC: OpenSC: Memory corruption via improper compact-TLV length validation

Bug 2453118 (CVE-2025-66038) - CVE-2025-66038 OpenSC: OpenSC: Memory corruption via improper compact-TLV length validation

Summary: CVE-2025-66038 OpenSC: OpenSC: Memory corruption via improper compact-TLV len...

Keywords:
Status:	NEW
Alias:	CVE-2025-66038
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2453191
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-30 18:01 UTC by OSIDB Bzimport
Modified:	2026-03-30 20:46 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-30 18:01:48 UTC

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.

Note You need to log in before you can comment on or make changes to this bug.