CVE-2023-40661
MEDIUMOpenSC < 0.23.0 - Memory Corruption via Crafted Smart Card APDU Responses
Title source: llmDescription
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.
References (12)
Core 12
Core References
Release Notes
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
Vendor Advisory
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:7876
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:7879
Third Party Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-40661
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2240913
Scores
CVSS v3
5.4
EPSS
0.0029
EPSS Percentile
52.9%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Details
CWE
CWE-119
Status
published
Products (3)
opensc_project/opensc
< 0.23.0
redhat/enterprise_linux
8.0
redhat/enterprise_linux
9.0
Published
Nov 06, 2023
Tracked Since
Feb 18, 2026