Memory Corruption in OpenSC Smart Card Tools and Middleware
CVE-2025-66038

3.9LOW

Key Information:

Vendor

Opensc

Status
Opensc
Vendor
CVE Published:
30 March 2026

What is CVE-2025-66038?

OpenSC, an open source smart card tools and middleware, contains a vulnerability in its sc_compacttlv_find_tag function prior to version 0.27.0. This function improperly handles compact-TLV buffers by not verifying that the claimed value length conforms to the remaining buffer. If untrusted data is processed, this can lead to attackers influencing returns of out-of-bounds pointers, resulting in potential memory corruption when accessed by subsequent operations. The issue is resolved in version 0.27.0.

Affected Version(s)

OpenSC < 0.27.0

References

https://github.com/OpenSC/OpenSC/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/OpenSC/OpenSC/commit/6db171bcb6fd7cb3b...
x_refsource_MISC
https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038
x_refsource_MISC

CVSS V3.1

Score:
3.9
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Physical
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.