CVE-2026-40528
Stack and Heap Buffer Overrun in OpenSC PKCS#15 Profile
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensc | opensc | to 0.27.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40528 is a buffer overrun vulnerability in OpenSC versions before 0.27.0, specifically in the do_key_value() function located in src/pkcs15init/profile.c.
The flaw occurs when a crafted profile configuration file is supplied during the pkcs15-init invocation. If a key value entry starts with '=' followed by more characters than the size of the keybuf buffer, the data is copied into keybuf using memcpy without checking the length.
This lack of length validation causes both stack and heap buffer overruns, potentially corrupting memory.
The vulnerability was fixed in commit 0358817 by adding proper bounds checking to prevent copying data that exceeds the buffer size.
How can this vulnerability impact me? :
This vulnerability allows attackers to corrupt memory by supplying a specially crafted profile configuration file during pkcs15-init execution.
Memory corruption caused by stack and heap buffer overruns can lead to unpredictable behavior, crashes, or potentially exploitable conditions depending on the context.
However, the CVSS scores indicate a low to moderate severity (CVSS v4.0 Base Score 1.0, CVSS v3.1 Base Score 3.8), suggesting limited impact or difficulty in exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by supplying a crafted profile configuration file to the pkcs15-init tool in OpenSC. Detection involves checking for the presence of profile files containing key value entries starting with '=' followed by an excessively long string exceeding the size of the keybuf buffer.
You can attempt to detect the vulnerability by running pkcs15-init with suspicious or crafted profile files that contain key values starting with '=' and very long strings (e.g., 200+ characters). If the tool crashes or behaves unexpectedly, it may indicate the presence of the vulnerability.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenSC to version 0.27.0 or later, where the vulnerability has been fixed by adding proper length checks in the do_key_value() function.
Until the upgrade can be applied, avoid using untrusted or crafted profile configuration files with pkcs15-init, especially those containing key value entries starting with '=' followed by long strings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.