CVE-2026-40528
Analyzed Analyzed - Analysis Complete
Stack and Heap Buffer Overrun in OpenSC PKCS#15 Profile

Publication date: 2026-05-29

Last updated on: 2026-06-03

Assigner: VulnCheck

Description
OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-03
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-40528
EUVD
EUVD-2026-33320
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensc_project opensc to 0.27.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40528 is a buffer overrun vulnerability in OpenSC versions before 0.27.0, specifically in the do_key_value() function located in src/pkcs15init/profile.c.

The flaw occurs when a crafted profile configuration file is supplied during the pkcs15-init invocation. If a key value entry starts with '=' followed by more characters than the size of the keybuf buffer, the data is copied into keybuf using memcpy without checking the length.

This lack of length validation causes both stack and heap buffer overruns, potentially corrupting memory.

The vulnerability was fixed in commit 0358817 by adding proper bounds checking to prevent copying data that exceeds the buffer size.

Impact Analysis

This vulnerability allows attackers to corrupt memory by supplying a specially crafted profile configuration file during pkcs15-init execution.

Memory corruption caused by stack and heap buffer overruns can lead to unpredictable behavior, crashes, or potentially exploitable conditions depending on the context.

However, the CVSS scores indicate a low to moderate severity (CVSS v4.0 Base Score 1.0, CVSS v3.1 Base Score 3.8), suggesting limited impact or difficulty in exploitation.

Detection Guidance

This vulnerability is triggered by supplying a crafted profile configuration file to the pkcs15-init tool in OpenSC. Detection involves checking for the presence of profile files containing key value entries starting with '=' followed by an excessively long string exceeding the size of the keybuf buffer.

You can attempt to detect the vulnerability by running pkcs15-init with suspicious or crafted profile files that contain key values starting with '=' and very long strings (e.g., 200+ characters). If the tool crashes or behaves unexpectedly, it may indicate the presence of the vulnerability.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenSC to version 0.27.0 or later, where the vulnerability has been fixed by adding proper length checks in the do_key_value() function.

Until the upgrade can be applied, avoid using untrusted or crafted profile configuration files with pkcs15-init, especially those containing key value entries starting with '=' followed by long strings.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart