CVE-2026-10275
Description
A global buffer overflow in OpenSC's pkcs11-tool allows attackers to trigger memory corruption via malicious smart card responses during key generation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A global buffer overflow in OpenSC's pkcs11-tool allows attackers to trigger memory corruption via malicious smart card responses during key generation.
Vulnerability
A global buffer overflow vulnerability exists in OpenSC versions up to 0.26.1 within the test_kpgen_certwrite function of src/tools/pkcs11-tool.c. The vulnerability occurs because the application fails to validate the length of the CKA_ID attribute returned by a PKCS#11 token or smart card before copying it into a fixed-size global static buffer of 100 bytes [1].
Exploitation
An attacker must induce a victim to interact with a malicious PKCS#11 module or a compromised physical smart card device using pkcs11-tool [1]. By crafting a device that returns an object ID exceeding 100 bytes during key pair generation tests (such as -z or --test-kpgen), the attacker can trigger the unsafe memcpy operation, leading to a buffer overflow [1].
Impact
Successful exploitation of this vulnerability results in memory corruption, which may lead to an application crash or potentially arbitrary code execution depending on the execution context and the ability of an attacker to control the overflowed data [1].
Mitigation
The vulnerability is addressed in commit 814f745b3b6d100295f65f1935edd33d520d33ab, which introduces explicit length checks before copying the object ID into the static buffer [4]. Users are advised to update to a version containing this patch [1][2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.26.1
Patches
1814f745b3b6dpkcs11-tool: prevent buffer overflow
1 file changed · +6 −0
src/tools/pkcs11-tool.c+6 −0 modified@@ -1342,6 +1342,8 @@ int main(int argc, char * argv[]) } if (opt_uri->id) { opt_object_id_len = opt_uri->id_len; + if (opt_object_id_len > sizeof(opt_object_id)) + util_fatal("URI's object ID too long"); memcpy(opt_object_id, opt_uri->id, opt_object_id_len); } } @@ -9608,6 +9610,10 @@ static CK_SESSION_HANDLE test_kpgen_certwrite(CK_SLOT_ID slot, CK_SESSION_HANDLE return session; } opt_object_id_len = (size_t) i; + if (opt_object_id_len > sizeof(opt_object_id)) { + fprintf(stderr, "ERR: object ID too long\n"); + return session; + } memcpy(opt_object_id, tmp, opt_object_id_len); /* This is done in NSS */
Vulnerability mechanics
Root cause
"The application fails to validate the length of data returned from PKCS#11 hardware before copying it into a fixed-size global buffer, leading to a buffer overflow."
Attack vector
An attacker can trigger this vulnerability by providing a malicious PKCS#11 module or a compromised smart card that returns an excessively large CKA_ID attribute [ref_id=1]. When the victim uses `pkcs11-tool` to interact with this device, the `test_kpgen_certwrite` function performs an unchecked `memcpy` of the oversized data into a 100-byte global buffer [ref_id=1]. This results in a global buffer overflow, which can corrupt adjacent memory and potentially lead to arbitrary code execution [ref_id=1].
Affected code
The vulnerability is located in the `test_kpgen_certwrite` function within `src/tools/pkcs11-tool.c` [ref_id=1]. The issue specifically involves the handling of the `opt_object_id` global buffer [ref_id=1, patch_id=4328637].
What the fix does
The patch introduces explicit bounds checking before the `memcpy` operations in `src/tools/pkcs11-tool.c` [patch_id=4328637]. It compares the length of the retrieved object ID against the size of the destination buffer `opt_object_id` [patch_id=4328637]. If the length exceeds the buffer capacity, the tool now reports an error and terminates the operation, preventing the out-of-bounds write [patch_id=4328637, ref_id=1].
Preconditions
- inputThe victim must interact with a malicious PKCS#11 module or a compromised smart card that returns an oversized CKA_ID attribute.
Reproduction
The vulnerability can be reproduced by using a custom PKCS#11 shared library that returns a CKA_ID longer than 100 bytes when queried by `pkcs11-tool` [ref_id=1]. The provided reproduction package includes a mock module and script to trigger the overflow, which can be verified using AddressSanitizer [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/OpenSC/OpenSC/commit/814f745b3b6d100295f65f1935edd33d520d33abnvd
- github.com/OpenSC/OpenSC/issues/3682nvd
- github.com/OpenSC/OpenSC/pull/3684nvd
- pan.baidu.com/s/1nrZPKDz2eAcCpsaFiIRlrgnvd
- vuldb.com/cve/CVE-2026-10275nvd
- vuldb.com/submit/825403nvd
- vuldb.com/vuln/367568nvd
- vuldb.com/vuln/367568/ctinvd
News mentions
0No linked articles in our index yet.