{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13763", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-11-27T14:35:05.731Z", "datePublished": "2026-04-23T12:27:41.820Z", "dateUpdated": "2026-04-23T14:05:23.182Z"}, "containers": {"cna": {"title": "Libopensc: opensc: multiple uses of uninitialized variable", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"status": "affected", "version": "0", "lessThan": "0.27.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-13763", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581", "name": "RHBZ#2417581", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"}], "datePublic": "2026-04-23T12:09:46.867Z", "workarounds": [{"lang": "en", "value": "To mitigate this issue, avoid connecting untrusted USB devices or smart cards to systems running affected versions of Red Hat Enterprise Linux. This operational control reduces the risk of an attacker presenting a specially crafted device to exploit the uninitialized variable flaws in `libopensc`."}], "timeline": [{"lang": "en", "time": "2025-11-27T14:28:07.219Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-23T12:09:46.867Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-23T12:33:39.857Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-457", "lang": "en", "description": "CWE-457 Use of Uninitialized Variable"}]}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:04:28.240123Z", "id": "CVE-2025-13763", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:05:23.182Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13763", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-11-27T14:35:05.731Z", "datePublished": "2026-04-23T12:27:41.820Z", "dateUpdated": "2026-04-23T14:05:23.182Z"}, "containers": {"cna": {"title": "Libopensc: opensc: multiple uses of uninitialized variable", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"status": "affected", "version": "0", "lessThan": "0.27.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-13763", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581", "name": "RHBZ#2417581", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"}], "datePublic": "2026-04-23T12:09:46.867Z", "workarounds": [{"lang": "en", "value": "To mitigate this issue, avoid connecting untrusted USB devices or smart cards to systems running affected versions of Red Hat Enterprise Linux. This operational control reduces the risk of an attacker presenting a specially crafted device to exploit the uninitialized variable flaws in `libopensc`."}], "timeline": [{"lang": "en", "time": "2025-11-27T14:28:07.219Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-23T12:09:46.867Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-23T12:33:39.857Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13763", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:04:28.240123Z"}}}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-457", "description": "CWE-457 Use of Uninitialized Variable"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:05:19.606Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"}], "id": "CVE-2025-13763", "lastModified": "2026-04-23T15:22:53.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-23T13:16:09.697", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-13763"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581"}, {"source": "secalert@redhat.com", "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}, {"source": "secalert@redhat.com", "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-457"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "libopensc: opensc: Multiple uses of uninitialized variable", "id": "2417581", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "details": ["Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid connecting untrusted USB devices or smart cards to systems running affected versions of Red Hat Enterprise Linux. This operational control reduces the risk of an attacker presenting a specially crafted device to exploit the uninitialized variable flaws in `libopensc`."}, "name": "CVE-2025-13763", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-23T12:09:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-13763\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-13763\nhttps://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv\nhttps://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"], "statement": "Physical access is required for a successful attack of this vulnerability which increases the complexity and lowers the severity of this flaw hence it was rated Low.", "threat_severity": "Low"}

{}