CVE-2025-49010

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.4 / Impact : 3.4

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4	Vendor Advisory
https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*

History

01 Apr 2026, 18:01

Type	Values Removed	Values Added
References	~~() https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4 -~~	() https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4 - Vendor Advisory
References	~~() https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010 -~~	() https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010 - Vendor Advisory
CPE		cpe:2.3:a:opensc_project:opensc::::::::
First Time		Opensc Project opensc Opensc Project

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) OpenSC es un conjunto de herramientas y middleware de código abierto para tarjetas inteligentes. Antes de la versión 0.27.0, un atacante con acceso físico al ordenador en el momento en que un usuario o administrador utiliza un token puede causar una escritura de desbordamiento de búfer de pila en GET RESPONSE. El ataque requiere un dispositivo USB manipulado o una tarjeta inteligente manipulada que presentaría al sistema respuestas especialmente diseñadas para las APDU. Este problema ha sido parcheado en la versión 0.27.0.

30 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 18:16

Updated : 2026-04-01 18:01

NVD link : CVE-2025-49010

Mitre link : CVE-2025-49010

CVE.ORG link : CVE-2025-49010

JSON object : View

Products Affected

opensc_project

opensc

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-49010", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 0.4}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2026-03-30T18:16:16.950", "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0."}, {"lang": "es", "value": "OpenSC es un conjunto de herramientas y middleware de c\u00f3digo abierto para tarjetas inteligentes. Antes de la versi\u00f3n 0.27.0, un atacante con acceso f\u00edsico al ordenador en el momento en que un usuario o administrador utiliza un token puede causar una escritura de desbordamiento de b\u00fafer de pila en GET RESPONSE. El ataque requiere un dispositivo USB manipulado o una tarjeta inteligente manipulada que presentar\u00eda al sistema respuestas especialmente dise\u00f1adas para las APDU. Este problema ha sido parcheado en la versi\u00f3n 0.27.0."}], "lastModified": "2026-04-01T18:01:59.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D890677F-5379-4587-B8E7-D38B02AD525A", "versionEndExcluding": "0.27.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}