CVE-2025-13763
Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack req
CVSS
5.7
Medium
EPSS
0.2%
p7
KEV
—
Exploit Today
2
0-100
Published: Apr 23, 2026 · Last modified: Jun 30, 2026 · CWE-457
0.2%EPSS · 30 days0.2%
2026-06-302026-07-17
Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-13763
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2417581
- github.comhttps://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv
- github.comhttps://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763
- github.comhttps://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-67489.8 CRI32.2%
——10Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.3dCVE-2024-456163.9 LOW27.8%
——8A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs.
The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.18dCVE-2024-456153.9 LOW27.8%
——8A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK.
The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.).18dCVE-2025-563647.5 HIG25.3%
——8A use of uninitialized value vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, where the `GetDestinationGroupId().Value()` method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID. The issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access.20hCVE-2026-139436.5 MED24.8%
——7Uninitialized Use in CSS in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)15dCVE-2026-139236.5 MED24.8%
——7Uninitialized Use in GPU in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)16d