PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10109 Canonical CVE debrief

CVE-2016-10109 is a remotely reachable use-after-free in pcsc-lite. A command path can use "cardsList" after the handle has been released via SCardReleaseContext, which can crash the service and create a denial-of-service condition. NVD rates the issue High with no privileges or user interaction required and availability impact only.

Vendor
Canonical
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-23
Original CVE updated
2026-05-13
Advisory published
2017-02-23
Advisory updated
2026-05-13

Who should care

Administrators and package maintainers running pcsc-lite 1.8.19 or earlier, including Ubuntu releases listed in the NVD CPE data and other Linux distributions that ship the affected library. Teams that depend on smart-card services or embed pcsc-lite should also verify they are not carrying a vulnerable copy.

Technical summary

The vulnerability is classified as CWE-416 (use-after-free). Per the NVD description, a command can continue to access "cardsList" after SCardReleaseContext has released the context handle, leaving a dangling reference that may be dereferenced and cause a crash. The affected range in NVD is pcsc-lite through 1.8.19, with the fix associated with 1.8.20. The CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates a network-reachable, unauthenticated availability issue rather than a data exposure or code-execution finding.

Defensive priority

High

Recommended defensive actions

  • Inventory systems and packages to find pcsc-lite versions at or below 1.8.19.
  • Upgrade to pcsc-lite 1.8.20 or a vendor package that explicitly includes the fix.
  • Apply the relevant distribution advisories for Debian, Ubuntu, or Gentoo if you use those packages.
  • Restart or redeploy affected services after patching so the fixed library is loaded.
  • If immediate patching is not possible, prioritize isolating exposed smart-card services and watch for crash loops or availability incidents.

Evidence notes

The supplied NVD record lists CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-416. The vulnerable CPE criteria include pcsc-lite through 1.8.19 and Ubuntu 12.04, 14.04, 16.04, and 16.10. Public references include Debian DSA-3752, Ubuntu USN-3176-1, a vendor mailing-list advisory, and third-party advisories, all consistent with a fix in the 1.8.20 release line. The CVE was first published on 2017-02-23 and later modified in the supplied NVD metadata on 2026-05-13.

Official resources

First published in the supplied record on 2017-02-23; the NVD entry was later modified on 2026-05-13. Use the CVE published date as the disclosure timing for this issue.