CVE-2026-40528— OpenSC < 0.27.0 Buffer Overrun in do_key_value() via profile.c
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40528
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenSC < 0.27.0 Buffer Overrun in do_key_value() via profile.c
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
栈缓冲区溢出
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenSC 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenSC是OpenSC开源的一款开源的智能卡工具和中间件。 OpenSC 0.27.0之前版本存在安全漏洞,该漏洞源于src/pkcs15init/profile.c中的do_key_value()函数存在栈和堆缓冲区溢出漏洞,允许攻击者通过提供特制的配置文件来破坏内存。在pkcs15-init调用期间,以 = 开头且后跟超过sizeof(keybuf)字符的键值条目通过memcpy复制到keybuf中,且未进行长度检查,导致栈和堆缓冲区溢出。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-40528
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40528
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-40528 (1)
Vendor Advisories for CVE-2026-40528 (1)
IV. Related Vulnerabilities
Same product: OpenSC
- CVE-2026-10275
OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_c - CVE-2026-40510
OpenSC < 0.27.0-rc1 Stack Buffer Overflow via piv_process_hi - CVE-2025-13763
Libopensc: opensc: multiple uses of uninitialized variable - CVE-2025-66215
OpenSC: Stack-buffer-overflow WRITE in card-oberthur - CVE-2025-66038
OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds po
Same vendor: OpenSC
- CVE-2026-40510
OpenSC < 0.27.0-rc1 Stack Buffer Overflow via piv_process_hi - CVE-2025-13763
Libopensc: opensc: multiple uses of uninitialized variable - CVE-2025-66215
OpenSC: Stack-buffer-overflow WRITE in card-oberthur - CVE-2025-66038
OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds po - CVE-2025-66037
OpenSC: Out of Bounds vulnerability
Same weakness: CWE-121
- CVE-2026-48715
radvdump's Route Information Option Parser has a Stack Buffe - CVE-2026-55738
Stack Buffer Overflow in rxi/microtar raw_to_header() via no - CVE-2026-10829
NPort W2150A-W4/W2250A-W4远程代码执行漏洞 - CVE-2026-7273
Zyxel GS1900-48HPv2固件堆栈溢出致命令执行 - CVE-2026-12222
Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToo
V. Comments for CVE-2026-40528
No comments yet