CVE-2016-10109 Canonical CVE debrief

Who should care

Administrators and package maintainers running pcsc-lite 1.8.19 or earlier, including Ubuntu releases listed in the NVD CPE data and other Linux distributions that ship the affected library. Teams that depend on smart-card services or embed pcsc-lite should also verify they are not carrying a vulnerable copy.

Technical summary

The vulnerability is classified as CWE-416 (use-after-free). Per the NVD description, a command can continue to access "cardsList" after SCardReleaseContext has released the context handle, leaving a dangling reference that may be dereferenced and cause a crash. The affected range in NVD is pcsc-lite through 1.8.19, with the fix associated with 1.8.20. The CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates a network-reachable, unauthenticated availability issue rather than a data exposure or code-execution finding.

Defensive priority

High

Recommended defensive actions

• Inventory systems and packages to find pcsc-lite versions at or below 1.8.19.
• Upgrade to pcsc-lite 1.8.20 or a vendor package that explicitly includes the fix.
• Apply the relevant distribution advisories for Debian, Ubuntu, or Gentoo if you use those packages.
• Restart or redeploy affected services after patching so the fixed library is loaded.
• If immediate patching is not possible, prioritize isolating exposed smart-card services and watch for crash loops or availability incidents.

Evidence notes

The supplied NVD record lists CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-416. The vulnerable CPE criteria include pcsc-lite through 1.8.19 and Ubuntu 12.04, 14.04, 16.04, and 16.10. Public references include Debian DSA-3752, Ubuntu USN-3176-1, a vendor mailing-list advisory, and third-party advisories, all consistent with a fix in the 1.8.20 release line. The CVE was first published on 2017-02-23 and later modified in the supplied NVD metadata on 2026-05-13.

Official resources