CVE Catalog

CVE-2024-8443

LowCVSS 2.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to APDUs during card enrollment using pkcs15-init may lead to out-of-bounds access, potentially allowing arbitrary code execution.

Risk Assessment

An attacker could exploit this vulnerability to execute arbitrary code in the context of the application using libopensc, potentially leading to system compromise or credential theft.

Recommendation

Immediately update the OpenSC library to a patched version. Restrict the use of pkcs15-init to trusted devices and cards only.

Original NVD description (English source)

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS