CVE-2026-40510: OpenSC PIV Stack Buffer Overflow – Smart Card Vulnerability
OpenSC, a widely-used open-source smart card library, contains a stack buffer overflow flaw in how it processes the Key History Object from PIV (Personal Identity Verification) cards. An attacker with physical access to a system could craft a malicious smart card or USB device that returns an oversized URL field—exceeding 118 bytes—triggering memory corruption. This vulnerability requires the attacker to be physically present at the machine and involves user interaction, limiting its reach but posing a real concern in environments where untrusted hardware may be connected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.8 LOW · CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-121
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longer than 118 bytes in the Key History Object ASN.1 response.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the piv_process_history() function within src/libopensc/card-piv.c. The function fails to properly validate the length of the URL field in the Key History Object's ASN.1 response, allowing a crafted PIV device to write beyond the 118-byte stack buffer boundary. This classic stack buffer overflow can corrupt adjacent stack memory, potentially leading to information disclosure or localized code execution depending on the memory layout and compiler optimizations in place. The flaw was remediated in commit 3f24f0b, included in OpenSC version 0.27.0-rc1 and later.
Business impact
For organizations relying on OpenSC for smart card authentication—including federal agencies, financial institutions, and enterprises with PIV-based access control—this vulnerability introduces a localized but non-trivial risk. An attacker with physical access could potentially bypass smart card validation or exfiltrate sensitive data from memory. The attack surface is limited to scenarios where users connect external smart card readers or USB devices to systems running vulnerable OpenSC versions, but the consequences (memory corruption leading to potential privilege escalation or data theft) warrant prompt patching in security-sensitive environments.
Affected systems
OpenSC versions prior to 0.27.0-rc1 are affected across all platforms where the library is compiled and used. This includes Linux distributions, BSD systems, macOS, and Windows endpoints. Any application linking OpenSC and processing PIV cards—such as authentication services, VPN clients, or smart card middleware—inherits the risk. Verify the specific OpenSC version deployed in your environment by running 'opensc-tool --version' or checking your package manager.
Exploitability
Exploitation requires physical presence (AV:P) and is classified as low severity (CVSS 3.8). The attacker must present a crafted smart card or USB device; they cannot trigger the vulnerability remotely or through network interaction. Additionally, the attack vector assumes user interaction (UI:R), as the vulnerable code path is only reached when a user or automated process attempts to read the Key History Object from the malicious device. While these constraints significantly limit real-world attack scenarios, organized adversaries with supply-chain access or in physical-access threat models should treat this seriously.
Remediation
Upgrade OpenSC to version 0.27.0-rc1 or later. Organizations should test the release candidate or wait for the stable 0.27.0 release if production stability is a concern. For environments unable to upgrade immediately, restrict physical access to smart card readers and disable PIV support if not required. Monitor process memory and system logs for unexpected behavior when smart card readers are in use.
Patch guidance
Apply the fix from commit 3f24f0b by updating to OpenSC 0.27.0-rc1 or later. Consult your Linux distribution's package repositories or build from the official OpenSC GitHub repository. Test the patch in a non-production environment first to ensure compatibility with your authentication infrastructure. Automated deployment tooling (Ansible, Puppet, etc.) should be updated to pull the patched version. Document the upgrade in your change management system and communicate timelines to teams relying on smart card authentication.
Detection guidance
Monitor system and application logs for errors related to smart card parsing or PIV card reading failures—these may indicate exploit attempts. Memory protection tools (AddressSanitizer, Valgrind) will catch stack buffer overflows if run in development or testing. In production, use endpoint detection and response (EDR) tools to flag unexpected segmentation faults or memory access violations in processes using OpenSC. Additionally, audit which systems have external smart card readers connected and cross-reference against OpenSC version inventory.
Why prioritize this
Although the CVSS score is low (3.8), the vulnerability should be prioritized in environments where PIV smart cards are actively used for authentication or access control. The attack requires physical presence and user interaction, substantially reducing risk in typical office settings. However, for facilities with high-value physical security (data centers, government buildings, research labs), where an attacker could feasibly present a malicious device, this deserves near-term remediation. The stack buffer overflow also introduces uncertainty regarding exploitability; memory corruption vulnerabilities can sometimes be escalated beyond their baseline assessment.
Risk score, explained
The CVSS 3.1 vector (AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) reflects the physical-only attack surface, high attack complexity, and requirement for user interaction, all of which suppress the score. The impact metrics are conservative—memory corruption may leak small amounts of sensitive data (C:L), modify stack state (I:L), and potentially cause denial of service (A:L). The score of 3.8 accurately captures a localized, difficult-to-exploit flaw; however, organizations in high-assurance environments should evaluate their threat model independently and not rely solely on the numeric score.
Frequently asked questions
Do I need to patch if my organization doesn't use PIV cards?
No, this vulnerability is specific to OpenSC's PIV card processing. If your organization uses OpenSC solely for other smart card types (e.g., PKCS#15 cards without PIV extensions) and does not enable or invoke PIV functionality, you are not directly affected. However, verify your OpenSC configuration and application usage to confirm.
Can this vulnerability be exploited remotely?
No. The attack vector is strictly physical (AV:P). An attacker must be physically present at the machine and connect a crafted smart card or USB device directly to a card reader. Remote exploitation is not possible.
What happens if the buffer overflow is triggered?
The vulnerability causes memory corruption on the stack. Depending on the system architecture, compiler optimizations, and memory layout, this could result in information disclosure (leaking nearby stack data), denial of service (crash), or, in rare cases, arbitrary code execution. The CVSS assessment assumes conservative impact; individual environments may differ.
How do I verify my OpenSC version?
Run the command 'opensc-tool --version' from the command line. Alternatively, check your system's package manager: 'dpkg -l | grep opensc' (Debian/Ubuntu), 'rpm -qa | grep opensc' (Red Hat/CentOS), or 'brew list opensc' (macOS). Compare the reported version against 0.27.0-rc1; anything earlier is vulnerable.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the published date. The CVSS score and severity assessment are based on the official CVE record. Organizations should conduct independent risk assessments tailored to their specific threat model, smart card deployment, and access controls. Always verify patch compatibility in a test environment before deploying to production. Consult the official OpenSC project documentation and vendor security advisories for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40528LOWOpenSC Buffer Overflow in pkcs15-init Profile Parser
- CVE-2026-10528LOWOrthanc DICOM Server Stack Buffer Overflow – Patch Guidance
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2025-59613MEDIUMQualcomm Memory Corruption Vulnerability – Firmware Security Impact
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10064MEDIUMTRENDnet TEW-432BRP Stack Overflow – Unpatched EOL Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi