Information disclosure in Microsoft Windows Smart Card Reader

1) Use of uninitialized resource

EUVDB-ID: #VU102748

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-21312

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in Windows Smart Card Reader. An attacker with physical acccess can pass specially crafted data to the application, trigger uninitialized usage of resources and gain access to sensitive information on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 10 21H2 10.0.19041.3920 - 11 24H2 10.0.26100.2894

Windows Server: 2012 Gold - 2022 23H2 10.0.25398.1308

CPE2.3

• cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.5247:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows:10_22H2:10.0.19045.5247:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows:10_1507:10.0.10240.20857:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows:10_1607:10.0.14393.7606:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows:10_1809:10.0.17763.6659:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows:11_22H2:10.0.22621.4602:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows:11_23H2:10.0.22631.4602:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows:11_24H2:10.0.26100.2894:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows_server:2012:6.2.9200.25222:*:*:*:*:*:*
• cpe:2.3:o:microsoft:windows_server:2016:10.0.14393.7699:*:*:*:*:*:*

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-21312

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.