CVE-2025-24531

Summary

In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass.

Affected Software

VendorProductVersion RangeStatus
OpenSC projectpam_pkcs110.6.12 < 0.6.13affected

Weaknesses

  • CWE-393: CWE-393 Return of Wrong Status Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References