Medium severity6.7OSV Advisory· Published Jan 16, 2026· Updated Apr 15, 2026

CVE-2025-24531

Description

In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass.

Affected products

Opensc Project/Pam Pkcs11OSV
Range: pam_pkcs11-0.6.10, pam_pkcs11-0.6.11, pam_pkcs11-0.6.12, …

Patches

b8dbe6370d36

https://github.com/opensc/pam_pkcs11via osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2025/02/06/3nvd
www.openwall.com/lists/oss-security/2025/02/06/7nvd
github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-7mf6-rg36-qgchnvd
www.openwall.com/lists/oss-security/2025/02/06/3nvd

News mentions

No linked articles in our index yet.

cvss	0.436
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000