CVE-2026-40528
Description
OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSC before 0.27.0 has a stack and heap buffer overrun in do_key_value() when parsing a crafted profile file, leading to memory corruption.
Vulnerability
In OpenSC versions before 0.27.0, the do_key_value() function in src/pkcs15init/profile.c contains a stack and heap buffer overrun vulnerability. When a crafted profile configuration file is parsed during pkcs15-init invocation, a key value entry that begins with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check. This results in both stack and heap buffer overruns. The vulnerability was fixed in commit 0358817 [1] [2].
Exploitation
An attacker would need to supply a specially crafted profile configuration file to OpenSC's pkcs15-init tool. The profile must contain a key entry with a value starting with '=' and then at least 200+ characters (exceeding sizeof(keybuf)). The attacker requires write access to the filesystem to place this profile file or must convince a user to use such a file. No authentication or network access is needed; local file system access is sufficient [1].
Impact
Successful exploitation results in memory corruption due to stack and heap buffer overruns. This can lead to application crashes or potentially arbitrary code execution under the privileges of the user running pkcs15-init. The corruption is limited to the memory space of the calling process, but the attacker may be able to compromise data integrity or confidentiality [1] [2].
Mitigation
OpenSC version 0.27.0 contains the fix from commit 0358817, released on 2026-05-29. Users should upgrade to this version or later. There is no viable workaround for affected versions other than avoiding untrusted profile files. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1] [2].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
10358817ec74aprofile: Avoid possible buffer overrun
1 file changed · +4 −0
src/pkcs15init/profile.c+4 −0 modified@@ -992,6 +992,10 @@ do_key_value(struct state *cur, int argc, char **argv) if (key[0] == '=') { ++key; key_len = strlen(key); + if (key_len > sizeof(keybuf)) { + parse_error(cur, "Key value too long (%zu > %zu)\n", key_len, sizeof(keybuf)); + return 1; + } memcpy(keybuf, key, key_len); } else { key_len = sizeof(keybuf);
Vulnerability mechanics
Root cause
"Missing length check in do_key_value() allows memcpy to copy a string longer than the destination buffer, causing stack and heap buffer overruns."
Attack vector
An attacker supplies a crafted profile configuration file to the `pkcs15-init` tool. The file contains a key-value entry such as `value = "=XXXX..."` with 200+ `X` characters. When `do_key_value()` processes this entry, it strips the leading `=` but then copies the remaining string into `keybuf` via `memcpy` without verifying that the length fits, causing a buffer overrun [patch_id=3078864]. The attack requires the attacker to provide the malicious profile file and have a user invoke `pkcs15-init` with it, meeting the physical-access and user-interaction preconditions reflected in the CVSS vector.
Affected code
The vulnerability resides in the `do_key_value()` function in `src/pkcs15init/profile.c`. When parsing a profile configuration file, a key value entry beginning with `=` followed by more than `sizeof(keybuf)` characters is copied into `keybuf` via `memcpy` without a length check, causing both stack and heap buffer overruns.
What the fix does
The patch adds a length check before the `memcpy` call: if `key_len > sizeof(keybuf)`, the function calls `parse_error()` and returns early with an error code [patch_id=3078864]. This prevents the buffer overrun by rejecting overly long key values before any copy occurs. The fix is minimal—only four lines added—and directly addresses the missing bounds check that caused both stack and heap corruption.
Preconditions
- inputAttacker must supply a crafted profile configuration file to the pkcs15-init tool.
- authA user must invoke pkcs15-init with the malicious profile file.
- networkPhysical access or local system access is required to provide the profile file.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.