CVE-2023-40660

MEDIUM 6.6

Opensc: potential pin bypass when card tracks its own login state

CVSS Score

6.6

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

CWE	CWE-287
Published	Nov 6, 2023
Last Updated	Nov 6, 2025

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Red Hat / Red Hat Enterprise Linux 8

All versions affected

Red Hat / Red Hat Enterprise Linux 9

All versions affected

Red Hat / Red Hat Enterprise Linux 7

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7876 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7879 access.redhat.com: https://access.redhat.com/security/cve/CVE-2023-40660 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2240912 github.com: https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 github.com: https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 github.com: https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories openwall.com: http://www.openwall.com/lists/oss-security/2023/12/13/2 lists.debian.org: https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html lists.fedoraproject.org: https://lists.fedoraproject.org/archives/list/[email protected]/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/ lists.fedoraproject.org: https://lists.fedoraproject.org/archives/list/[email protected]/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2024/12/msg00026.html

Credits

Upstream acknowledges Deepanjan Pal (Oracle Corporation) as the original reporter.