CVE-2023-2977
Description
A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer over-read in OpenSC's pkcs15-cardos.c, exploitable via a crafted smart card, risks information disclosure or crash.
Vulnerability
A heap-based buffer over-read vulnerability exists in OpenSC, affecting the function cardos_have_verifyrc_package in src/pkcs15init/pkcs15-cardos.c. The flaw involves incorrect length calculation when the pointer p is moved after each sc_asn1_find_tag invocation during ASN.1 parsing. This occurs while scanning a response buffer for two specific tags (0xe1 and 0x01). The bug is present in versions of OpenSC prior to a fix that follows the pattern of commit 1252aca. The attacker must supply a smart card with a malformed ASN.1 context that triggers the miscalculation [1][3].
Exploitation
An attacker with physical access to a system or the ability to insert a malicious smart card can exploit this vulnerability. The attacker presents a crafted card that returns a specifically malformed ASN.1 structure in the response to the APDU command. The cardos_have_verifyrc_package function then processes the buffer, where the pointer p is advanced incorrectly, leading to a read beyond the allocated heap buffer. No authentication is required beyond card insertion; the attack can occur during normal card operations performed by the OpenSC library [1][3].
Impact
Successful exploitation results in a heap-based out-of-bounds read. This can cause a crash if AddressSanitizer (ASAN) is enabled during compilation, or lead to information disclosure of adjacent heap memory. In more severe scenarios, further damage or leakage of sensitive data is possible. The overall impact is limited to information disclosure and potential denial of service; Remote Code Execution (RCE) is not indicated [1][2].
Mitigation
A fix has been proposed and is expected to be included in a future OpenSC release, following the patch pattern referenced in the GitHub issue [3]. As of the publication date (2023-06-01), the vulnerability is marked NEW in Red Hat's Bugzilla, with a low severity, and no fixed version has been formally released [2]. Red Hat lists the bug as affecting OpenSC packages; users should monitor for updates from their distribution. No workaround is currently available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16(expand)+ 1 more
- (no CPE)
- (no CPE)
- osv-coords14 versionspkg:rpm/almalinux/openscpkg:rpm/opensuse/opensc&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/opensc&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/opensc&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/opensc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/opensc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 0.23.0-2.el9+ 13 more
- (no CPE)range: < 0.23.0-2.el9
- (no CPE)range: < 0.22.0-150400.3.3.1
- (no CPE)range: < 0.22.0-150400.3.3.1
- (no CPE)range: < 0.22.0-150400.3.3.1
- (no CPE)range: < 0.23.0-2.1
- (no CPE)range: < 0.19.0-150100.3.22.1
- (no CPE)range: < 0.19.0-150100.3.22.1
- (no CPE)range: < 0.22.0-150400.3.3.1
- (no CPE)range: < 0.22.0-150400.3.3.1
- (no CPE)range: < 0.22.0-150400.3.3.1
- (no CPE)range: < 0.22.0-150400.3.3.1
- (no CPE)range: < 0.19.0-150100.3.22.1
- (no CPE)range: < 0.13.0-3.22.1
- (no CPE)range: < 0.13.0-3.22.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJD4Q4AJSGE5UIJI7OUYZY4HGGCVYQNI/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LAR54OV6EHA56B4XJF6RNPQ4HJ2ITU66/mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/06/msg00025.htmlmitremailing-list
- access.redhat.com/security/cve/CVE-2023-2977mitre
- bugzilla.redhat.com/show_bug.cgimitre
- github.com/OpenSC/OpenSC/issues/2785mitre
- github.com/OpenSC/OpenSC/pull/2787mitre
News mentions
0No linked articles in our index yet.