CVE-2025-66038
Received Received - Intake
Out-of-Bounds Read in OpenSC compact-TLV Parsing Causes Memory Corruption

Publication date: 2026-03-30

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-01
Generated
2026-05-07
AI Q&A
2026-03-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66038
EUVD
EUVD-2025-209127
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensc_project opensc to 0.27.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-66038 is a vulnerability in the OpenSC project affecting versions prior to 0.27.0. It exists in the function sc_compacttlv_find_tag, which processes compact-TLV (Type-Length-Value) encoded buffers. In this encoding, a single byte encodes both a tag and the length of its value. The vulnerability occurs because the function does not verify that the claimed length of the value fits within the actual buffer size before returning a pointer to the value.

For example, if a crafted buffer contains a single byte {0x0A}, it encodes a tag of 0x0 and a length of 10, but no actual value bytes follow since the buffer length is only 1. When searching for tag 0x00, the function returns a pointer just past the buffer and sets the output length to 10 without bounds checking. This results in an out-of-bounds pointer being returned.

If untrusted data, such as from smart cards or files, is passed to this function, an attacker can exploit this flaw to cause downstream memory corruption when the returned pointer is dereferenced, potentially leading to security issues like crashes or unexpected behavior.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption due to out-of-bounds reads when processing specially crafted compact-TLV data from untrusted sources such as malicious smart cards or files.

The impact includes potential application crashes or unexpected behavior in OpenSC tools and middleware that rely on the vulnerable function. This could disrupt the normal operation of smart card interactions or related security processes.

The CVSS v3.1 base score is 3.9, indicating low severity, with low impacts on confidentiality, integrity, and availability. The attack requires physical access and has high complexity, with no privileges or user interaction needed.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the OpenSC software with crafted compact-TLV buffers that trigger the out-of-bounds pointer return in the function sc_compacttlv_find_tag. A proof-of-concept testcase exists that calls this function with a specially crafted buffer such as a single byte {0x0A} and prints the out-of-bounds pointer and length.

To detect the vulnerability on your system, you can build and run the provided Docker-based reproduction environment with AddressSanitizer enabled using clang-17. This setup will help identify memory corruption issues caused by the vulnerability.

No specific network commands are provided since the attack vector is physical and involves processing data from smart cards or files. Detection involves running tests against the vulnerable OpenSC versions (prior to 0.27.0) using the provided test cases or fuzzing tools.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OpenSC to version 0.27.0 or later, where the vulnerability in sc_compacttlv_find_tag has been patched.

Avoid processing untrusted or maliciously crafted smart cards or files that contain invalid compact-TLV data until the upgrade is applied.

If upgrading immediately is not possible, consider restricting physical access to devices that use OpenSC or the affected smart cards to reduce the risk of exploitation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in OpenSC (CVE-2025-66038) involves a buffer over-read issue that can lead to memory corruption when processing untrusted data from smart cards or files. While the CVE description and resources detail the technical aspects and potential impacts such as application crashes or unexpected behavior, there is no direct information provided about how this vulnerability affects compliance with common standards and regulations like GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart