oss-sec mailing list archives

OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure

From: Joe Malcolm <jmalcolm () uraeus com>
Date: Fri, 20 Feb 2026 08:17:15 -0500

Many will have seen the recent post from Anthropic (1) and associated reporting that says they found 500+ 
vulnerabilities and lists 3 of them.  These three issues don’t appear to have CVEs and two don’t appear in releases. I 
don’t know if that indicates the maintainers don't agree with the significance of these findings, but I wonder if the 
other 498+ vulnerabilities also lack CVEs.

1. For OpenSC, the commit appears to be:

https://github.com/OpenSC/OpenSC/commit/9ab1daf21029dd18f8828d684ee6151d9238edab

There are no disclosed security issues more recent than 2024 at https://github.com/OpenSC/OpenSC/security and the last 
release was
OpenSC 0.26.1.


2. For cgif, the fix is 
https://github.com/dloebl/cgif/commit/07052febd3a252d30e6f0de67b2ea4f6b9aacddd and it appears in v0.5.1.


4. For ghostscript, the commit appears to be 
https://github.com/ArtifexSoftware/ghostpdl/commit/4e392a82d1b1780cab85804728317f36a9c4f7f7 which references a 
nonpublic bug 709080 <https://bugs.ghostscript.com/show_bug.cgi?id=709080>. The last release is 10.06.0 (2025-09-09) so 
there is no release with this fix.


Anthropic’s post: https://red.anthropic.com/2026/zero-days/ 

Joe

Current thread:

OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Joe Malcolm (Feb 20)
- Re: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure Eli Schwartz (Feb 20)