CVE-2018-16424
Description
A double free when handling responses in read_file in tools/egk-tool.c (aka the eGK card tool) in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Double free in read_file in OpenSC before 0.19.0-rc1 allows crafted smartcard to cause denial of service or possibly other impact.
Vulnerability
A double free vulnerability exists in the read_file function in tools/egk-tool.c in OpenSC versions before 0.19.0-rc1. The issue occurs when handling responses from smartcards. An attacker can supply a crafted smartcard that triggers a double free, leading to memory corruption [1].
Exploitation
To exploit, an attacker needs physical access to the system to insert a malicious smartcard, or the ability to emulate a smartcard via a card reader. The attacker crafts a smartcard that sends a specially malformed response to APDU commands processed by the read_file function. No authentication is required; the vulnerability is triggered during normal card interaction [1].
Impact
Successful exploitation can cause a denial of service via application crash. The description also mentions "possibly have unspecified other impact," which could include arbitrary code execution, though this is not confirmed in available references [1].
Mitigation
The vulnerability is fixed in OpenSC version 0.19.0-rc1, released on 2018-09-04 [3]. Users should upgrade to this version or later. No workarounds are documented; as a general precaution, only use smartcards from trusted sources [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: < 0.19.0-rc1
- osv-coords2 versionspkg:rpm/opensuse/opensc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015
< 0.21.0-2.2+ 1 more
- (no CPE)range: < 0.21.0-2.2
- (no CPE)range: < 0.18.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160admitrex_refsource_MISC
- github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/09/msg00009.htmlmitremailing-listx_refsource_MLIST
- www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.