Information disclosure in Microsoft Windows Smart Card Reader



| Updated: 2025-03-10
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2025-21312
CWE-ID CWE-908
Exploitation vector Local
Public exploit N/A
Vulnerable software
Windows
Operating systems & Components / Operating system

Windows Server
Operating systems & Components / Operating system

Vendor Microsoft

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Use of uninitialized resource

EUVDB-ID: #VU102748

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-21312

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in Windows Smart Card Reader. An attacker with physical acccess can pass specially crafted data to the application, trigger uninitialized usage of resources and gain access to sensitive information on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 10 21H2 10.0.19041.3920 - 11 24H2 10.0.26100.2894

Windows Server: 2012 Gold - 2022 23H2 10.0.25398.1308

CPE2.3 External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-21312


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###