OpenSC <0.27.0-rc1 Stack Buffer Overflow in PIV smart card handling: CVE-2026-40510 May 2026

OpenSC < 0.27.0-rc1 Stack Buffer Overflow via piv_process_history() in card-piv.c
OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longer than 118 bytes in the Key History Object ASN.1 response.

Vulnerability Analysis

CVE-2026-40510 is exploitable with physical access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:

PHYSICAL

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

LOW

Weakness Type

What is a Stack Overflow Vulnerability?

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

CVE-2026-40510 has been classified to as a Stack Overflow vulnerability or weakness.

OpenSC <0.27.0-rc1 Stack Buffer Overflow in PIV smart card handling
CVE-2026-40510 Published on May 29, 2026

Vulnerability Analysis

Weakness Type

What is a Stack Overflow Vulnerability?

Affected Versions

OpenSC <0.27.0-rc1 Stack Buffer Overflow in PIV smart card handlingCVE-2026-40510 Published on May 29, 2026

Vulnerability Analysis

Weakness Type

What is a Stack Overflow Vulnerability?

Affected Versions

OpenSC <0.27.0-rc1 Stack Buffer Overflow in PIV smart card handling
CVE-2026-40510 Published on May 29, 2026