CVE-2026-40510 OpenSC CVE debrief

Who should care

Organizations deploying PIV-based authentication systems, particularly in government, enterprise, and high-security environments where smart card middleware is utilized. Security teams responsible for endpoint protection and physical access controls should assess exposure.

Technical summary

The vulnerability resides in the `piv_process_history()` function within OpenSC's PIV card driver (`card-piv.c`). When parsing the Key History Object from a PIV card's ASN.1 response, the code fails to properly validate the length of the URL field before copying it to a fixed-size stack buffer. A URL field longer than 118 bytes triggers a stack buffer overflow, potentially leading to memory corruption. The attack requires physical possession of a maliciously crafted PIV smart card or USB device and user interaction to insert/activate the device. The CVSS 4.0 score of 1.0 (LOW) reflects the constrained attack vector and high complexity of exploitation.

Defensive priority

LOW

Recommended defensive actions

• Upgrade OpenSC to version 0.27.0-rc1 or later which contains the fix in commit 3f24f0b
• Restrict physical access to systems utilizing PIV smart card authentication
• Monitor for anomalous USB device connections in environments where PIV cards are used
• Apply principle of least privilege for smart card middleware operations
• Review and validate PIV card provisioning processes to prevent introduction of malicious devices

Evidence notes

Vulnerability disclosed via Vulncheck advisory; fix confirmed in OpenSC GitHub commit 3f24f0b and pull request 3558. CVSS 4.0 vector indicates physical attack vector (AV:P), high attack complexity (AC:H), and low impacts to confidentiality, integrity, and availability.

Official resources