CVE-2024-1454: Memory use after free in AuthentIC driver when updating token info
This advisory summarizes automatically reported security relevant issue that was reported since the release of OpenSC 0.24.0 and that are relevant to the handling the card enrollment process using pkcs15-init.
The Use After Free vulnerability was identified within the AuthentIC driver during the card enrollment process using pkcs15-init when a user or administrator enrolls or modifies cards. An attacker must have physical access to the computer system to take advantage of this flaw. The attack requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can potentially allow for compromising card management operations during enrollment.
- Issue 64898: opensc:fuzz_pkcs15init: Heap-use-after-free in authentic_emu_update_tokeninfo
- fixed with 5835f0d4f6c033bd58806d33fa546908d39825c9
Originally reported by OSS-fuzz automated service
CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (3.4)