CVE-2026-10275
Deferred Deferred - Pending Action
Buffer Overflow in OpenSC pkcs11-tool

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10275
EUVD
EUVD-2026-33680
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
opensc opensc to 0.26.1 (exc)
opensc opensc to 0.27.1 (exc)
opensc opensc to 0.26.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a global buffer overflow in the OpenSC pkcs11-tool utility, specifically in the key generation module's function test_kpgen_certwrite().

The flaw occurs because the program uses a fixed-size global buffer of 100 bytes to store the CKA_ID attribute returned by a PKCS#11 token or smart card, but it does not validate that the length of this attribute fits within the buffer.

If a malicious or compromised smart card returns an oversized CKA_ID (e.g., 200 bytes or more), the program copies this data beyond the buffer's bounds, causing a buffer overflow that can corrupt adjacent memory and potentially allow arbitrary code execution.

Exploitation requires tricking the victim into using the pkcs11-tool with a malicious PKCS#11 module or compromised smart card. The attack complexity is high and exploitability is difficult, but an exploit has been published.

Impact Analysis

This vulnerability can lead to a buffer overflow that may allow an attacker to execute arbitrary code on the affected system.

If exploited, it could corrupt memory, potentially causing crashes or enabling privilege escalation or unauthorized actions within the context of the pkcs11-tool utility.

Because the attack requires a malicious PKCS#11 module or compromised smart card, the risk is tied to the use of untrusted or tampered hardware or software components.

The vulnerability has a medium severity score (CVSS v3.1 base score 5.0) and the attack complexity is high, meaning it is not trivial to exploit but still poses a security risk.

Applying the available patch is recommended to mitigate this risk.

Detection Guidance

The vulnerability exists in the pkcs11-tool utility of OpenSC, specifically in the function test_kpgen_certwrite. Detection involves checking for buffer overflow issues when processing the CKA_ID attribute during key pair generation tests.

One way to detect the vulnerability is to run pkcs11-tool commands that trigger the key pair generation tests, such as using the options -z, --test-ec, or --test-kpgen, and monitor for crashes or abnormal behavior indicating a buffer overflow.

Additionally, using tools like AddressSanitizer during testing can help detect global buffer overflows by identifying memory corruption when oversized CKA_ID attributes are processed.

  • Run: pkcs11-tool -z
  • Run: pkcs11-tool --test-ec
  • Run: pkcs11-tool --test-kpgen

Observe if these commands cause crashes or errors related to buffer overflow, which may indicate the presence of the vulnerability.

Mitigation Strategies

The primary mitigation step is to apply the official patch that fixes the buffer overflow vulnerability in pkcs11-tool. This patch adds explicit bounds checking on the length of the CKA_ID attribute before copying it into a fixed-size buffer.

Updating OpenSC to version 0.27.1 or later, which includes the fix, is strongly recommended.

Avoid using untrusted or malicious PKCS#11 modules or compromised smart cards, as exploitation requires loading a malicious module or using a compromised card.

Audit and verify all PKCS#11 tokens and modules in use to ensure they are from trusted sources.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10275. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart