CVE-2026-40528 OpenSC CVE debrief

Who should care

Organizations deploying OpenSC for smart card and cryptographic token management, particularly those using pkcs15-init with custom profile configurations in multi-user or shared environments where profile file integrity cannot be guaranteed.

Technical summary

The vulnerability resides in the `do_key_value()` function in OpenSC's `src/pkcs15init/profile.c`. When parsing profile configuration files during `pkcs15-init` operations, the function processes key value entries starting with '='. The implementation uses `memcpy` to copy data into `keybuf` without verifying that the source data length does not exceed `sizeof(keybuf)`. This missing bounds check permits attackers to trigger both stack and heap buffer overruns by supplying a crafted profile file containing an oversized key value entry. The attack requires local access with a crafted configuration file, and the high attack complexity reflects the need for specific conditions to achieve successful exploitation.

Defensive priority

low

Recommended defensive actions

• Upgrade OpenSC to version 0.27.0 or later which contains the fix in commit 0358817
• Audit systems for OpenSC installations prior to 0.27.0, particularly those using pkcs15-init with custom profile configurations
• Restrict write access to profile configuration files to prevent injection of malicious key value entries
• Monitor for anomalous pkcs15-init execution failures that may indicate exploitation attempts
• Review application logs for profile parsing errors as potential indicators of attack attempts

Evidence notes

Vulnerability disclosed via Vulncheck advisory; fix confirmed in OpenSC commit 0358817ec74aeca654f83e7709c7720b14c5db59. CWE-121 (Stack-based Buffer Overflow) and CWE-122 (Heap-based Buffer Overflow) identified as primary weakness types.

Official resources