Description
Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs
Published: 2026-04-23
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Workaround
AI Analysis

Impact

The vulnerability is due to multiple uses of an uninitialized variable within the libopensc component, specifically impacting the handling of APDU responses from USB devices or smart cards. An attacker can create a crafted smart card or USB device that returns specially formulated responses, leading the library to read memory that has not been initialized. Depending on the context, this behavior can leak sensitive data that the process was not intended to expose, or it can trigger a crash of the application utilizing libopensc. The affected weakness is classified as CWE‑457, an Uninitialized Variable flaw.

Affected Systems

The affected products are the OpenSC library (OpenSC:OpenSC) and Red Hat Enterprise Linux distributions including versions 7, 8, 9, and 10. Specific vulnerable versions are not listed in the advisory; any release containing the uninitialized variable logic remains potentially impacted until a patch is released.

Risk and Exploitability

This flaw carries a CVSS score of 5.7, indicating a moderate severity. The EPSS score is reported as less than 1 %, suggesting a very low but non‑zero probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to provide a malicious USB device or smart card that interacts with the target system, implying a local or physical device attack vector. Given the limited exploitability and moderate severity, the overall risk is considered moderate until a vendor patch becomes available.

Generated by OpenCVE AI on April 28, 2026 at 14:53 UTC.

Remediation

Vendor Workaround

To mitigate this issue, avoid connecting untrusted USB devices or smart cards to systems running affected versions of Red Hat Enterprise Linux. This operational control reduces the risk of an attacker presenting a specially crafted device to exploit the uninitialized variable flaws in `libopensc`.

OpenCVE Recommended Actions

  • Use the Red Hat recommended workaround by disabling or restricting the use of untrusted USB devices and smart cards on affected systems.
  • Subscribe to Red Hat security advisories and apply any forthcoming libopensc patches as soon as they are released.
  • Consider disabling smart‑card reader functionality in production environments until a fixed version of libopensc is available.

Generated by OpenCVE AI on April 28, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensc
Opensc opensc
Vendors & Products Opensc
Opensc opensc

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs
Title Libopensc: opensc: multiple uses of uninitialized variable
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Opensc Opensc
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-23T14:05:23.182Z

Reserved: 2025-11-27T14:35:05.731Z

Link: CVE-2025-13763

cve-icon Vulnrichment

Updated: 2026-04-23T14:05:19.606Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T13:16:09.697

Modified: 2026-04-24T14:50:56.203

Link: CVE-2025-13763

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-23T12:09:46Z

Links: CVE-2025-13763 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses