CVE-2025-66037 LOW

CVE-2025-66037: OpenSC: Out of Bounds vulnerability

Vendor Opensc
Product OpenSC
Weakness CWE-125
Published March 30, 2026
Last update March 30, 2026

CVSS base score

3.9/10
Attack vector Physical
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, feeding a crafted input to the fuzz_pkcs15_reader harness causes OpenSC to perform an out-of-bounds heap read in the X.509/SPKI handling path. Specifically, sc_pkcs15_pubkey_from_spki_fields() allocates a zero-length buffer and then reads one byte past the end of that allocation. This issue has been patched in version 0.27.0.

Key dates

02Disclosure timeline

March 30, 2026 CVE published
March 30, 2026 Record updated