CVE-2025-66037: Possible buffer overrun while parsing SPKI
The malicious smart card could return malicious public key object with SPKI size of 0, resulting of reading behind the 0-length buffer, potentially causing either crash or unexpected behavior of application using OpenSC.
The reported issue is part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so this is considered high complexity and low severity.
- sc_pkcs15_pubkey_from_spki_fields
- The function is provided with a buffer parsed from the outer ASN.1 structure, which can be a 0-length buffer. The buffer is copied with malloc & memcpy and then the first byte is tested without checking the length is at least one byte.
- fixed with 65fc211015cfcac27b10d0876054156c97225f50
Affected versions: all before 0.27.0
Originally reported by Aldo Ristori via OSS-Fuzz. Patches provided by Jakub Jelen.
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (3.9)