CVE-2019-20792
Description
OpenSC before 0.20.0 has a double free in coolkey_free_private_data because coolkey_add_object in libopensc/card-coolkey.c lacks a uniqueness check.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double-free vulnerability in OpenSC before 0.20.0 allows attackers to cause denial of service or potential arbitrary code execution via crafted smart cards.
Vulnerability
A double-free vulnerability exists in OpenSC versions before 0.20.0 in the function coolkey_free_private_data within libopensc/card-coolkey.c. The root cause is that coolkey_add_object lacks a uniqueness check for object IDs. When duplicate object IDs are added, the list can contain multiple entries for the same object, leading to a double-free when the private data is cleaned up [1][2]. All versions prior to 0.20.0 are affected.
Exploitation
An attacker must have the ability to present a crafted smart card or device that provides duplicate object IDs to the Coolkey driver. The card must interact with OpenSC via the PKCS#11 interface or other applications that use the library. No authentication is required beyond physical access to the device or being able to remotely emulate one (e.g., via PC/SC). The vulnerability is triggered during the normal processing of card data when coolkey_add_object is called multiple times without checking for duplicates [2].
Impact
Successful exploitation leads to a double-free memory corruption. This can result in a denial of service (library crash) and, in some cases, arbitrary code execution depending on heap layout. An attacker could potentially execute code with the privileges of the application using OpenSC (e.g., smart card authentication daemon or browser). The integrity and availability of the system are at risk.
Mitigation
The vulnerability is fixed in OpenSC version 0.20.0. Users should upgrade to at least 0.20.0 to address the issue [1]. No workaround is available for earlier versions. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- OpenSC/OpenSCdescription
- Range: <0.20.0
- osv-coords7 versionspkg:rpm/opensuse/opensc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/opensc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 0.19.0-lp152.3.3.1+ 6 more
- (no CPE)range: < 0.19.0-lp152.3.3.1
- (no CPE)range: < 0.22.0-3.1
- (no CPE)range: < 0.18.0-150000.3.23.1
- (no CPE)range: < 0.18.0-150000.3.23.1
- (no CPE)range: < 0.19.0-3.7.1
- (no CPE)range: < 0.18.0-150000.3.23.1
- (no CPE)range: < 0.18.0-150000.3.23.1
Patches
21 file changed · +15 −1
src/tests/fuzzing/fuzz_pkcs15_reader.c+15 −1 modified@@ -233,10 +233,24 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) int wrap_flags[] = {0, SC_ALGORITHM_AES_ECB, SC_ALGORITHM_AES_CBC_PAD, SC_ALGORITHM_AES_CBC}; for (i = 0; i < sizeof wrap_flags/sizeof *wrap_flags; i++) { + unsigned long l = sizeof buf; struct sc_pkcs15_object target_key; + struct sc_pkcs15_skey_info skey_info; + memset(&target_key, 0, sizeof target_key); + memset(&skey_info, 0, sizeof skey_info); + target_key.type = SC_PKCS15_TYPE_SKEY; + target_key.flags = 2; /* TODO not sure what these mean */ + target_key.session_object = 1; + target_key.data = skey_info; + skey_info.usage = (unsigned int) args.usage; + skey_info.native = 0; /* card can not use this */ + skey_info.access_flags = 0; /* looks like not needed */ + skey_info.key_type = 0x1fUL; /* CKK_AES */ + skey_info.value_len = 128; + fuzz_get_chunk(reader, &skey_info.data.value, &skey_info.data.len); + sc_pkcs15_unwrap(p15card, obj, &target_key, wrap_flags[i], in, in_len, param, param_len); - unsigned long l = sizeof buf; sc_pkcs15_wrap(p15card, obj, &target_key, wrap_flags[i], buf, &l, in, in_len); }
c246f6f69a74coolkey: Make sure the object ID is unique when filling list
1 file changed · +5 −0
src/libopensc/card-coolkey.c+5 −0 modified@@ -1945,6 +1945,11 @@ coolkey_add_object(coolkey_private_data_t *priv, unsigned long object_id, const new_object.id = object_id; new_object.length = object_length; + /* The object ID needs to be unique */ + if (coolkey_find_object_by_id(&priv->objects_list, object_id) != NULL) { + return SC_ERROR_INTERNAL; + } + if (object_data) { new_object.data = malloc(object_length + add_v1_record); if (new_object.data == NULL) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugs.chromium.org/p/oss-fuzz/issues/detailmitrex_refsource_MISC
- github.com/OpenSC/OpenSC/commit/c246f6f69a749d4f68626b40795a4f69168008f4mitrex_refsource_MISC
- github.com/OpenSC/OpenSC/compare/0.19.0...0.20.0mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.