CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver
The malicious smart card could return larger data then expected by the oberthur driver, resulting in write behind the buffer bounds potentially causing crash, data corruption or unexpected behavior of application using OpenSC.
The reported issue is part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so this is considered high complexity and low severity.
- auth_compute_signature
- The function is constructing an APDU request, but sets inconsisten respons buffer and response buffer length values. When the malicious smart card would return more data than expected, the reader driver would write behind the buffer bounds on stack, likely malforming other data on stack.
- fixed with a4bbf8a631537a4c0083b264095ed1cd36d307ab and 56bc5e9575965461d99a274be45d71c18ab6eae0
Affected versions: all before 0.27.0
Originally reported by Oss-fuzz. Patches provided by Frank Morgner.
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L (3.8)