Description
The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker must have physical access to the computer system and requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can allow for compromised card management operations during enrolment.
References (8)
Core 8
Core References
Issue Tracking
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64898
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/OWIZ5ZLO5ECYPLSTESCF7I7PQO5X6ZSU/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/RJI2FWLY24EOPALQ43YPQEZMEP3APPPI/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UECKC7X4IM4YZQ5KRQMNBNKNOXLZC7RZ/
Third Party Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-1454
Issue Tracking, Third Party Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2263929
Scores
CVSS v3
3.4
EPSS
0.0008
EPSS Percentile
23.5%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-416
Status
published
Products (7)
fedoraproject/fedora
38
fedoraproject/fedora
39
fedoraproject/fedora
40
opensc_project/opensc
< 0.25.0
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
redhat/enterprise_linux
9.0
Published
Feb 12, 2024
Tracked Since
Feb 18, 2026