CVE-2025-66038: Possible read beyond buffer bounds when parsing historical bytes in PIV driver
The malicious smart card could return malicious Answer to Reset (ATR) with invalid Compact-TLV encoding in the historical bytes, resulting in reading behind the buffer bounds, potentially causing either crash or unexpected behavior of application using OpenSC.
The reported issue is part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so this is considered high complexity and low severity.
- sc_compacttlv_find_tag
- The function is provided with buffer and its bounds, but the bounds of parsed data are checked only if the searched tag has its expected length (low nibble). In other cases, the bounds are ignored and function can return the tag length larger than the provided buffer.
- fixed with a20b91adc2fc66785c0df98abc8ef456c0eaab9d
Affected versions: all before 0.27.0
Originally reported by Harrison Green, from CMU. This testcase was discovered by STITCH, an autonomous fuzzing system. Patches provided by Jakub Jelen.
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (3.9)