CVE-2026-10275
Buffer Overflow in OpenSC pkcs11-tool
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensc | opensc | to 0.27.1 (exc) |
| opensc | opensc | to 0.26.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a global buffer overflow in the OpenSC pkcs11-tool utility, specifically in the key generation module's function test_kpgen_certwrite().
The flaw occurs because the program uses a fixed-size global buffer of 100 bytes to store the CKA_ID attribute returned by a PKCS#11 token or smart card, but it does not validate that the length of this attribute fits within the buffer.
If a malicious or compromised smart card returns an oversized CKA_ID (e.g., 200 bytes or more), the program copies this data beyond the buffer's bounds, causing a buffer overflow that can corrupt adjacent memory and potentially allow arbitrary code execution.
Exploitation requires tricking the victim into using the pkcs11-tool with a malicious PKCS#11 module or compromised smart card. The attack complexity is high and exploitability is difficult, but an exploit has been published.
How can this vulnerability impact me? :
This vulnerability can lead to a buffer overflow that may allow an attacker to execute arbitrary code on the affected system.
If exploited, it could corrupt memory, potentially causing crashes or enabling privilege escalation or unauthorized actions within the context of the pkcs11-tool utility.
Because the attack requires a malicious PKCS#11 module or compromised smart card, the risk is tied to the use of untrusted or tampered hardware or software components.
The vulnerability has a medium severity score (CVSS v3.1 base score 5.0) and the attack complexity is high, meaning it is not trivial to exploit but still poses a security risk.
Applying the available patch is recommended to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability exists in the pkcs11-tool utility of OpenSC, specifically in the function test_kpgen_certwrite. Detection involves checking for buffer overflow issues when processing the CKA_ID attribute during key pair generation tests.
One way to detect the vulnerability is to run pkcs11-tool commands that trigger the key pair generation tests, such as using the options -z, --test-ec, or --test-kpgen, and monitor for crashes or abnormal behavior indicating a buffer overflow.
Additionally, using tools like AddressSanitizer during testing can help detect global buffer overflows by identifying memory corruption when oversized CKA_ID attributes are processed.
- Run: pkcs11-tool -z
- Run: pkcs11-tool --test-ec
- Run: pkcs11-tool --test-kpgen
Observe if these commands cause crashes or errors related to buffer overflow, which may indicate the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch that fixes the buffer overflow vulnerability in pkcs11-tool. This patch adds explicit bounds checking on the length of the CKA_ID attribute before copying it into a fixed-size buffer.
Updating OpenSC to version 0.27.1 or later, which includes the fix, is strongly recommended.
Avoid using untrusted or malicious PKCS#11 modules or compromised smart cards, as exploitation requires loading a malicious module or using a compromised card.
Audit and verify all PKCS#11 tokens and modules in use to ensure they are from trusted sources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.