Description
OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns.
Published: 2026-05-29
Score: 1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenSC versions prior to 0.27.0 contain a stack and heap buffer overrun in the do_key_value() function located in src/pkcs15init/profile.c. The vulnerability is triggered when a key value entry that begins with '=' and contains more characters than the internal key buffer size is supplied to pkcs15-init. The code copies this entry into a fixed‑size buffer using memcpy without checking the length, allowing an attacker to corrupt adjacent memory and potentially gain arbitrary code execution or cause a crash.

Affected Systems

The affected product is OpenSC released by the OpenSC vendor, for all versions earlier than 0.27.0. No other vendors or product variations are listed.

Risk and Exploitability

The CVSS score is 1, indicating low severity, and the EPSS score is not available, suggesting a small exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to provide a crafted profile configuration file that is read by pkcs15‑init, implying a local or privileged user context rather than remote exploitation. If the attacker obtains write access to a profile file, memory corruption can occur, leading to possible arbitrary code execution or denial of service.

Generated by OpenCVE AI on May 29, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenSC version 0.27.0 or later where the buffer overflow has been patched.
  • If an upgrade is not immediately possible, restrict the creation and use of profile configuration files to trusted sources and validate their integrity before invoking pkcs15‑init.
  • Consider disabling or restricting pkcs15‑init usage when operating in low‑trust environments to reduce the attack surface.

Generated by OpenCVE AI on May 29, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Opensc
Opensc opensc
Vendors & Products Opensc
Opensc opensc

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns.
Title OpenSC < 0.27.0 Buffer Overrun in do_key_value() via profile.c
Weaknesses CWE-121
CWE-122
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Opensc Opensc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T13:58:18.086Z

Reserved: 2026-04-13T20:29:02.810Z

Link: CVE-2026-40528

cve-icon Vulnrichment

Updated: 2026-05-29T13:58:12.442Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T14:16:26.730

Modified: 2026-05-29T15:42:56.873

Link: CVE-2026-40528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:00:17Z

Weaknesses