{"id":"USN-7346-1","summary":"opensc vulnerabilities","details":"It was discovered that OpenSC did not correctly handle certain memory\noperations, which could lead to a use-after-free vulnerability. An\nattacker could possibly use this issue to cause a denial of service or\nexecute arbitrary code. This issue only affected Ubuntu 16.04 LTS,\nUbuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-42780)\n\nIt was discovered that OpenSC did not correctly handle certain memory\noperations, which could lead to a stack buffer overflow. An attacker\ncould possibly use this issue to cause a denial of service or execute\narbitrary code. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-42782)\n\nIt was discovered that OpenSC did not correctly handle the length of\ncertain buffers, which could lead to a out-of-bounds access vulnerability.\nAn attacker could possibly use this issue to cause a denial of service or\nexecute arbitrary code. This issue only affected Ubuntu 16.04 LTS,\nUbuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-2977)\n\nDeepanjan Pal discovered that OpenSC did not correctly authenticate a zero\nlength PIN. A physically proximate attacker could possibly use this issue\nto gain unauthorized access to certain systems. This issue only affected \nUbuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-40660)\n\nIt was discovered that OpenSC did not correctly handle certain memory\noperations. A physically proximate attacker could possibly use this issue\nto compromise key generation, certificate loading and other card\nmanagement operations. This issue only affected Ubuntu 20.04 LTS and\nUbuntu 22.04 LTS. (CVE-2023-40661)\n\nHubert Kario, Michal Shagam and Eyal Ronen discovered that OpenSC had a\ntiming side-channel and incorrectly handled RSA padding. An attacker\ncould possibly use this issue to recover sensitive information. This issue\nonly affected Ubuntu 22.04 LTS. (CVE-2023-5992)\n\nMatteo Marini discovered that OpenSC did not properly manage memory due to\ncertain uninitialized variables. A physically proximate attacker could\npossibly use this issue to gain unauthorized access to certain systems.\nThis issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,\nUbuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-45615)\n\nMatteo Marini discovered that OpenSC did not correctly handle certain\nmemory operations. A physically proximate attacker could possibly use this\nissue to gain unauthorized access to certain systems. This issue only\naffected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and\nUbuntu 24.10. (CVE-2024-45616, CVE-2024-45617)\n\nMatteo Marini discovered that OpenSC did not correctly handle certain\nmemory operations. A physically proximate attacker could possibly use this\nissue to gain unauthorized access to certain systems.\n(CVE-2024-45618, CVE-2024-45620)\n\nMatteo Marini discovered that OpenSC did not correctly handle certain\nmemory operations. A physically proximate attacker could possibly use this\nissue to gain unauthorized access to certain systems. This issue only\naffected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 24.10.\n(CVE-2024-45619)\n\nIt was discovered that OpenSC did not correctly handle certain memory\noperations, which could lead to a buffer overflow. A physically\nproximate attacker could possibly use this issue to compromise card\nmanagement operations during enrollment and modification. This issue only\naffected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and\nUbuntu 24.10. (CVE-2024-8443)\n","modified":"2026-02-10T04:47:18Z","published":"2025-03-12T05:37:20Z","related":["UBUNTU-CVE-2021-42780","UBUNTU-CVE-2021-42782","UBUNTU-CVE-2023-2977","UBUNTU-CVE-2023-40660","UBUNTU-CVE-2023-40661","UBUNTU-CVE-2023-5992","UBUNTU-CVE-2024-45615","UBUNTU-CVE-2024-45616","UBUNTU-CVE-2024-45617","UBUNTU-CVE-2024-45618","UBUNTU-CVE-2024-45619","UBUNTU-CVE-2024-45620","UBUNTU-CVE-2024-8443"],"upstream":["CVE-2021-42780","CVE-2021-42782","CVE-2023-2977","CVE-2023-40660","CVE-2023-40661","CVE-2023-5992","CVE-2024-45615","CVE-2024-45616","CVE-2024-45617","CVE-2024-45618","CVE-2024-45619","CVE-2024-45620","CVE-2024-8443","UBUNTU-CVE-2021-42780","UBUNTU-CVE-2021-42782","UBUNTU-CVE-2023-2977","UBUNTU-CVE-2023-40660","UBUNTU-CVE-2023-40661","UBUNTU-CVE-2023-5992","UBUNTU-CVE-2024-45615","UBUNTU-CVE-2024-45616","UBUNTU-CVE-2024-45617","UBUNTU-CVE-2024-45618","UBUNTU-CVE-2024-45619","UBUNTU-CVE-2024-45620","UBUNTU-CVE-2024-8443"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7346-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-42780"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-42782"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-2977"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-5992"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-40660"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-40661"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-8443"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-45615"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-45616"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-45617"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-45618"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-45619"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-45620"}],"affected":[{"package":{"name":"opensc","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/opensc@0.15.0-1ubuntu1+esm2?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.15.0-1ubuntu1+esm2"}]}],"versions":["0.15.0-1ubuntu1","0.15.0-1ubuntu1+esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0.15.0-1ubuntu1+esm2","binary_name":"opensc"},{"binary_version":"0.15.0-1ubuntu1+esm2","binary_name":"opensc-pkcs11"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7346-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-42780"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-2977"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45618"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45620"}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"opensc","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/opensc@0.17.0-3ubuntu0.1~esm2?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.17.0-3ubuntu0.1~esm2"}]}],"versions":["0.17.0-1","0.17.0-2","0.17.0-2build1","0.17.0-3","0.17.0-3ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0.17.0-3ubuntu0.1~esm2","binary_name":"opensc"},{"binary_version":"0.17.0-3ubuntu0.1~esm2","binary_name":"opensc-pkcs11"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7346-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-42780"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-2977"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45618"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45620"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"opensc","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/opensc@0.20.0-3ubuntu0.1~esm2?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.20.0-3ubuntu0.1~esm2"}]}],"versions":["0.19.0-2","0.20.0-1","0.20.0-2","0.20.0-3","0.20.0-3ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0.20.0-3ubuntu0.1~esm2","binary_name":"opensc"},{"binary_version":"0.20.0-3ubuntu0.1~esm2","binary_name":"opensc-pkcs11"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7346-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"opensc","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/opensc@0.22.0-1ubuntu2+esm1?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.22.0-1ubuntu2+esm1"}]}],"versions":["0.21.0-1ubuntu1","0.22.0-1ubuntu2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0.22.0-1ubuntu2+esm1","binary_name":"opensc"},{"binary_version":"0.22.0-1ubuntu2+esm1","binary_name":"opensc-pkcs11"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7346-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-2977"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-5992"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-40660"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-40661"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-8443"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45615"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45616"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45617"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45618"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45619"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45620"}],"ecosystem":"Ubuntu:Pro:22.04:LTS"}}},{"package":{"name":"opensc","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/opensc@0.25.0~rc1-1ubuntu0.1~esm1?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.25.0~rc1-1ubuntu0.1~esm1"}]}],"versions":["0.23.0-1ubuntu4","0.24.0~rc1-1","0.25.0~rc1-1","0.25.0~rc1-1build1","0.25.0~rc1-1build2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0.25.0~rc1-1ubuntu0.1~esm1","binary_name":"opensc"},{"binary_version":"0.25.0~rc1-1ubuntu0.1~esm1","binary_name":"opensc-pkcs11"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7346-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-8443"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45615"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45616"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45617"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45618"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45619"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-45620"}],"ecosystem":"Ubuntu:Pro:24.04:LTS"}}}],"schema_version":"1.7.3"}