CVE-2025-49010.md

CVE-2025-49010: Possible write beyond buffer bounds during processing of GET RESPONSE APDU

The malicious smart card could return 0-length data in GET RESPONSE APDU, causing the driver writing behind the caller provided buffer in sc_get_response() function.

Affected are the following card drivers: skeid, cardos, cyberflex, gemsafeV1, starcos, tcos, oberthur, authentic, iasecc, belpic, entersafe, rutoken_ecp, myeid, dnie, MaskTech, esteid2018, idprime, edo, coolkey, muscle, sc-hsm, mcrd, setcos, PIV-II, cac, itacns, isoApplet, gids, openpgp, jpki, npa, cac1, nqapplet, eOI, default

The reported issue is part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so this is considered high complexity and low severity.

• sc_get_response
  • The iso7816_get_response() and nqapplet_get_response() returned early if the returned APDU did not have any data without adjusting the count return parameter to reflect this legnth.
  • fixed with 953986f65db61871bbbff72788d861d67d5140c6

Affected versions: all before 0.27.0

Originally reported by Oss-fuzz. Patches provided by Frank Morgner.

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L (3.8)