CVE-2024-1454: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2024-1454) was discovered in the AuthentIC driver within OpenSC packages, specifically affecting the card enrollment process using pkcs15-init when users or administrators enroll or modify cards. The vulnerability affects OpenSC versions up to (excluding) 0.25.0, impacting various operating systems including Fedora and Red Hat Enterprise Linux (NVD, Red Hat Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 3.4 (LOW) with the vector string CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. The flaw requires physical access to the computer system and a crafted USB device or smart card to present specially crafted responses to the APDUs. The vulnerability is categorized as CWE-416 (Use After Free) (NVD).

The exploitation of this vulnerability can potentially allow for compromised card management operations during the enrollment process. However, due to the requirement of physical access and high attack complexity, the overall severity is assessed as low (Red Hat Advisory).

The vulnerability has been fixed in OpenSC version 0.25.0. Users are advised to upgrade to this version or later. The fix has been implemented through a patch that addresses the use-after-free issue in the AuthentIC driver (GitHub Patch).