CVE-2026-40528 PUBLISHED

OpenSC < 0.27.0 Buffer Overrun in do_key_value() via profile.c

Assigner: VulnCheck
Reserved: 13.04.2026 Published: 29.05.2026 Updated: 29.05.2026

OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns.

CVSS Vector: CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Physical	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS Score: 3.8

Attack Vector	Physical	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	OpenSC
Product	OpenSC
Versions	Default: affected affected from 0 to 0.27.0 (excl.) affected from 0 to 0358817ec74aeca654f83e7709c7720b14c5db59 (excl.)

CVE-2026-40528 PUBLISHED

OpenSC < 0.27.0 Buffer Overrun in do_key_value() via profile.c

Metrics

Product Status

Credits

References

Problem Types