{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13763", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-11-27T14:35:05.731Z", "datePublished": "2026-04-23T12:27:41.820Z", "dateUpdated": "2026-04-23T14:05:23.182Z"}, "containers": {"cna": {"title": "Libopensc: opensc: multiple uses of uninitialized variable", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"status": "affected", "version": "0", "lessThan": "0.27.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-13763", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581", "name": "RHBZ#2417581", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"}], "datePublic": "2026-04-23T12:09:46.867Z", "workarounds": [{"lang": "en", "value": "To mitigate this issue, avoid connecting untrusted USB devices or smart cards to systems running affected versions of Red Hat Enterprise Linux. This operational control reduces the risk of an attacker presenting a specially crafted device to exploit the uninitialized variable flaws in `libopensc`."}], "timeline": [{"lang": "en", "time": "2025-11-27T14:28:07.219Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-23T12:09:46.867Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-23T12:33:39.857Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-457", "lang": "en", "description": "CWE-457 Use of Uninitialized Variable"}]}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:04:28.240123Z", "id": "CVE-2025-13763", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:05:23.182Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13763", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-11-27T14:35:05.731Z", "datePublished": "2026-04-23T12:27:41.820Z", "dateUpdated": "2026-04-23T14:05:23.182Z"}, "containers": {"cna": {"title": "Libopensc: opensc: multiple uses of uninitialized variable", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"}], "affected": [{"vendor": "OpenSC", "product": "OpenSC", "versions": [{"status": "affected", "version": "0", "lessThan": "0.27.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "opensc", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-13763", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581", "name": "RHBZ#2417581", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"}], "datePublic": "2026-04-23T12:09:46.867Z", "workarounds": [{"lang": "en", "value": "To mitigate this issue, avoid connecting untrusted USB devices or smart cards to systems running affected versions of Red Hat Enterprise Linux. This operational control reduces the risk of an attacker presenting a specially crafted device to exploit the uninitialized variable flaws in `libopensc`."}], "timeline": [{"lang": "en", "time": "2025-11-27T14:28:07.219Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-23T12:09:46.867Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-23T12:33:39.857Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13763", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:04:28.240123Z"}}}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-457", "description": "CWE-457 Use of Uninitialized Variable"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:05:19.606Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"}], "id": "CVE-2025-13763", "lastModified": "2026-04-24T14:50:56.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-23T13:16:09.697", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-13763"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581"}, {"source": "secalert@redhat.com", "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}, {"source": "secalert@redhat.com", "url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-457"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "libopensc: opensc: Multiple uses of uninitialized variable", "id": "2417581", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417581"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "details": ["Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs"], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid connecting untrusted USB devices or smart cards to systems running affected versions of Red Hat Enterprise Linux. This operational control reduces the risk of an attacker presenting a specially crafted device to exploit the uninitialized variable flaws in `libopensc`."}, "name": "CVE-2025-13763", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "opensc", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-23T12:09:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-13763\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-13763\nhttps://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv\nhttps://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763"], "statement": "Physical access is required for a successful attack of this vulnerability which increases the complexity and lowers the severity of this flaw hence it was rated Low.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.27.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSC", "source": "cna", "vendor": "OpenSC"}, "product": "opensc", "vendor": "opensc"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-28T14:53:30.119437+00:00", "value": {"mitigation_remediation": ["Use the Red\u202fHat recommended workaround by disabling or restricting the use of untrusted USB devices and smart cards on affected systems.", "Subscribe to Red\u202fHat security advisories and apply any forthcoming libopensc patches as soon as they are released.", "Consider disabling smart\u2011card reader functionality in production environments until a fixed version of libopensc is available."], "summary": {"action": "Apply Workaround", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected products are the OpenSC library (OpenSC:OpenSC) and Red\u202fHat Enterprise\u202fLinux distributions including versions 7, 8, 9, and 10. Specific vulnerable versions are not listed in the advisory; any release containing the uninitialized variable logic remains potentially impacted until a patch is released.", "description_and_impact": "The vulnerability is due to multiple uses of an uninitialized variable within the libopensc component, specifically impacting the handling of APDU responses from USB devices or smart cards. An attacker can create a crafted smart card or USB device that returns specially formulated responses, leading the library to read memory that has not been initialized. Depending on the context, this behavior can leak sensitive data that the process was not intended to expose, or it can trigger a crash of the application utilizing libopensc. The affected weakness is classified as CWE\u2011457, an Uninitialized Variable flaw.", "risk_and_exploitability": "This flaw carries a CVSS score of 5.7, indicating a moderate severity. The EPSS score is reported as less than 1\u202f%, suggesting a very low but non\u2011zero probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to provide a malicious USB device or smart card that interacts with the target system, implying a local or physical device attack vector. Given the limited exploitability and moderate severity, the overall risk is considered moderate until a vendor patch becomes available."}}}}, "created": "2026-04-28T09:26:06.065646+00:00", "updated": "2026-04-28T15:00:14.514788+00:00", "vendors": ["opensc", "opensc$PRODUCT$opensc", "redhat", "redhat$PRODUCT$enterprise_linux"]}