CVE-2024-45618
LowCVSS 3.9Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
A vulnerability was found in pkcs15-init in OpenSC due to insufficient or missing checking of return values of functions. An attacker could use a crafted USB device or smart card presenting specially crafted APDU responses, leading to the use of uninitialized variables.
Risk Assessment
The risk involves potential arbitrary code execution or system integrity compromise by an attacker physically connecting a malicious device. This could lead to unpredictable behavior in applications using OpenSC.
Recommendation
Update OpenSC to the latest version immediately, which includes fixes for return value checking. Additionally, restrict physical access to USB ports and use only trusted smart cards.
Original NVD description (English source)
A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.

