CVE-2025-66038 LOW

CVE-2025-66038: OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers

Vendor Opensc
Product OpenSC
Weakness CWE-126
Published March 30, 2026
Last update April 1, 2026

CVSS base score

3.9/10
Attack vector Physical
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.

Key dates

02Disclosure timeline

March 30, 2026 CVE published
April 1, 2026 Record updated