CVE-2026-40510
Stack Buffer Overflow in OpenSC PIV Smart Card
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensc | opensc | to 0.27.0-rc1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability is considered low severity, with a CVSS v4 base score of 1.0.
An attacker must be physically present and present a maliciously crafted PIV smart card or USB device to trigger the vulnerability.
Successful exploitation could lead to memory corruption, which might cause application crashes or unpredictable behavior in the OpenSC software.
However, there is no indication from the provided information that this vulnerability allows remote code execution or privilege escalation.
Can you explain this vulnerability to me?
This vulnerability is a stack buffer overflow in OpenSC versions before 0.27.0-rc1, specifically in the piv_process_history() function within the card-piv.c source file.
It occurs when a physically present attacker presents a specially crafted PIV smart card or USB device that returns a Key History Object ASN.1 response containing a URL field longer than 118 bytes.
This causes memory corruption due to the buffer overflow, potentially leading to unexpected behavior or crashes.
The issue was fixed by validating the filename derived from the URL to ensure it is exactly 64 characters long and contains only valid hexadecimal digits, preventing the overflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by presenting a physically present maliciously crafted PIV smart card or USB device that returns a Key History Object ASN.1 response with a URL field longer than 118 bytes.
Detection involves verifying the version of OpenSC installed and checking for the presence of the vulnerable piv_process_history() function handling unvalidated URL fields.
You can detect if your OpenSC version is vulnerable by checking the installed version with the command:
- opensc-tool --version
If the version is before 0.27.0-rc1, it is vulnerable.
To detect attempts to exploit this vulnerability, monitor logs or system behavior when a PIV smart card or USB device is inserted, especially if it returns unusually long URL fields in the Key History Object.
There are no specific commands provided in the resources to detect crafted payloads or malformed URL fields directly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenSC to version 0.27.0-rc1 or later, where the vulnerability has been fixed.
The fix involves validating the filename derived from the URL in the Key History Object to ensure it is exactly 64 characters long and contains only valid hexadecimal digits, preventing buffer overflow.
Until the upgrade can be applied, avoid using untrusted or unknown PIV smart cards or USB devices that could trigger the vulnerability.
Review and apply the security patch from commit 3f24f0b if you maintain a custom build of OpenSC.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.