CVE-2025-66037
Out-of-Bounds Heap Read in OpenSC X.509/SPKI Handling
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensc_project | opensc | to 0.27.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66037 is a low-severity security vulnerability in the OpenSC project, specifically in the function sc_pkcs15_pubkey_from_spki_fields() which handles parsing of X.509/SPKI public key data.
The vulnerability occurs when this function processes a crafted input that results in allocating a zero-length buffer and then reading one byte beyond the end of that buffer. This out-of-bounds heap read happens because the code does not verify that the buffer length is at least one byte before accessing it.
Exploitation requires a specially crafted smart card or USB device that returns malicious public key data with an SPKI size of zero, causing the function to perform the invalid read.
This issue can lead to undefined behavior such as application crashes or unexpected behavior, but it is considered low severity due to the high attack complexity and limited impact.
How can this vulnerability impact me? :
This vulnerability can cause OpenSC-based applications to perform out-of-bounds reads when processing maliciously crafted smart card or USB device inputs.
The immediate impact includes potential application crashes or undefined behavior, which could affect the stability and reliability of systems using OpenSC for smart card operations.
There is also a theoretical low-severity risk of information exposure due to the out-of-bounds read, but no direct evidence of data leakage has been reported.
Because the attack requires physical access to a device capable of presenting malicious data and has high complexity, the overall risk to most users is low.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or unexpected behavior in OpenSC versions prior to 0.27.0 when processing smart card or USB device inputs, especially malformed or adversarial X.509 certificates or SPKI data.
Detection can be aided by using debugging and memory analysis tools such as Valgrind, which can identify the invalid out-of-bounds read of size 1 occurring in the function sc_pkcs15_pubkey_from_spki_fields().
- Run OpenSC with Valgrind on a system processing smart card inputs to detect invalid reads: valgrind --tool=memcheck opensc-tool [options]
- Use fuzzing harnesses like fuzz_pkcs15_reader or fuzz_pkcs15_crypt to test for the vulnerability by feeding crafted inputs.
- Monitor logs and application crashes related to OpenSC when interacting with smart cards or USB devices.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenSC to version 0.27.0 or later, where this vulnerability has been patched.
Until the upgrade can be applied, avoid using untrusted or potentially malicious smart cards or USB devices that could trigger the vulnerability.
Consider restricting physical access to systems using OpenSC to prevent attackers from introducing crafted devices.
Monitor OpenSC usage and logs for any unusual behavior or crashes that might indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.