Executive Summary

CVE-2025-66038 is a vulnerability in the OpenSC project affecting versions prior to 0.27.0. It exists in the function sc_compacttlv_find_tag, which processes compact-TLV (Type-Length-Value) encoded buffers. In this encoding, a single byte encodes both a tag and the length of its value. The vulnerability occurs because the function does not verify that the claimed length of the value fits within the actual buffer size before returning a pointer to the value.

For example, if a crafted buffer contains a single byte {0x0A}, it encodes a tag of 0x0 and a length of 10, but no actual value bytes follow since the buffer length is only 1. When searching for tag 0x00, the function returns a pointer just past the buffer and sets the output length to 10 without bounds checking. This results in an out-of-bounds pointer being returned.

If untrusted data, such as from smart cards or files, is passed to this function, an attacker can exploit this flaw to cause downstream memory corruption when the returned pointer is dereferenced, potentially leading to security issues like crashes or unexpected behavior.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to memory corruption due to out-of-bounds reads when processing specially crafted compact-TLV data from untrusted sources such as malicious smart cards or files.

The impact includes potential application crashes or unexpected behavior in OpenSC tools and middleware that rely on the vulnerable function. This could disrupt the normal operation of smart card interactions or related security processes.

The CVSS v3.1 base score is 3.9, indicating low severity, with low impacts on confidentiality, integrity, and availability. The attack requires physical access and has high complexity, with no privileges or user interaction needed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the OpenSC software with crafted compact-TLV buffers that trigger the out-of-bounds pointer return in the function sc_compacttlv_find_tag. A proof-of-concept testcase exists that calls this function with a specially crafted buffer such as a single byte {0x0A} and prints the out-of-bounds pointer and length.

To detect the vulnerability on your system, you can build and run the provided Docker-based reproduction environment with AddressSanitizer enabled using clang-17. This setup will help identify memory corruption issues caused by the vulnerability.

No specific network commands are provided since the attack vector is physical and involves processing data from smart cards or files. Detection involves running tests against the vulnerable OpenSC versions (prior to 0.27.0) using the provided test cases or fuzzing tools.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenSC to version 0.27.0 or later, where the vulnerability in sc_compacttlv_find_tag has been patched.

Avoid processing untrusted or maliciously crafted smart cards or files that contain invalid compact-TLV data until the upgrade is applied.

If upgrading immediately is not possible, consider restricting physical access to devices that use OpenSC or the affected smart cards to reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in OpenSC (CVE-2025-66038) involves a buffer over-read issue that can lead to memory corruption when processing untrusted data from smart cards or files. While the CVE description and resources detail the technical aspects and potential impacts such as application crashes or unexpected behavior, there is no direct information provided about how this vulnerability affects compliance with common standards and regulations like GDPR or HIPAA.

Useful 0 Not Useful 0