Unrated severityOSV Advisory· Published Nov 6, 2023· Updated Nov 6, 2025

Opensc: potential pin bypass when card tracks its own login state

CVE-2023-40660

Description

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

Affected products

Opensc Project/libopenscOSV
Range: 0.12.2, 0.12.2-rc1, 0.13.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2023:7876mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2023:7879mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/security/cve/CVE-2023-40660mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
github.com/OpenSC/OpenSC/issues/2792mitre
github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000