Home

Description

In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass.

PUBLISHED Reserved 2025-01-23 | Published 2026-01-16 | Updated 2026-01-16 | Assigner mitre




MEDIUM: 6.7CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-393 Return of Wrong Status Code

Product status

Default status
unaffected

0.6.12 (semver) before 0.6.13
affected

References

www.openwall.com/lists/oss-security/2025/02/06/3

www.openwall.com/lists/oss-security/2025/02/06/7

github.com/...pkcs11/security/advisories/GHSA-7mf6-rg36-qgch

github.com/OpenSC/pam_pkcs11/releases

www.openwall.com/lists/oss-security/2025/02/06/3

cve.org (CVE-2025-24531)

nvd.nist.gov (CVE-2025-24531)

Download JSON