Out-of-Bounds Heap Read Vulnerability in OpenSC by OpenSC
CVE-2025-66037

3.9LOW

Key Information:

Vendor: Opensc
Status: Opensc
Vendor: CVE Published:; 30 March 2026

What is CVE-2025-66037?

OpenSC is an open source project providing tools and middleware for smart card applications. A vulnerability was identified in versions preceding 0.27.0, where a maliciously crafted input to the fuzz_pkcs15_reader function could result in an out-of-bounds heap read associated with X.509/SPKI processing. This flaw occurs when the function sc_pkcs15_pubkey_from_spki_fields() attempts to access memory outside of its allocated buffer, specifically reading beyond a zero-length buffer allocation. This behavior could potentially allow an attacker to manipulate memory, leading to unauthorized information disclosure or system instability. OpenSC has addressed this issue in version 0.27.0.

Affected Version(s)

OpenSC < 0.27.0

References

https://github.com/OpenSC/OpenSC/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037

x_refsource_MISC

CVSS V3.1

Score:

3.9

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Nov 21, 2025

CVE-2025-66037 Data

JSON

Opensc

What is CVE-2025-66037?

Affected Version(s)

References

CVSS V3.1

Timeline