Description
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.
Published: 2026-03-30
Score: 3.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds pointer that can cause memory corruption
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the sc_compacttlv_find_tag function used by OpenSC before version 0.27.0. The function incorrectly interprets a compact‑TLV element’s length field without verifying that the claimed length fits within the remaining buffer. When supplied with untrusted data, this flaw can produce a pointer that references beyond the legitimate buffer limits and an out‑of‑bounds length value, potentially leading to memory corruption during later access. The weakness is classified as CWE‑126 (Buffer Over-read) and CWE‑805 (Buffer Access with Incorrect Length Value).

Affected Systems

OpenSC, Version 0.27.0 and earlier are affected. The issue was fixed in OpenSC 0.27.0; no older product versions are listed in the CNA data.

Risk and Exploitability

The CVSS score is 3.9, indicating low to moderate severity. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via untrusted input, such as data read from smart cards or files manipulated by attackers. Exploitability requires the attacker to supply a crafted compact‑TLV buffer, which can be achieved when the smart card backend accepts arbitrary input.

Generated by OpenCVE AI on April 2, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSC to version 0.27.0 or later.

Generated by OpenCVE AI on April 2, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Opensc
Opensc opensc
Vendors & Products Opensc
Opensc opensc

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensc Project
Opensc Project opensc
CPEs cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*
Vendors & Products Opensc Project
Opensc Project opensc
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.
Title OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers
Weaknesses CWE-126
References
Metrics cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Opensc Opensc
Opensc Project Opensc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:15:33.347Z

Reserved: 2025-11-21T01:08:02.615Z

Link: CVE-2025-66038

cve-icon Vulnrichment

Updated: 2026-04-01T18:15:28.159Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T18:16:18.177

Modified: 2026-04-01T17:40:36.183

Link: CVE-2025-66038

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-30T17:03:55Z

Links: CVE-2025-66038 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:11:13Z

Weaknesses