CVE-2026-40510

Summary

OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longer than 118 bytes in the Key History Object ASN.1 response.

Affected Software

VendorProductVersion RangeStatus
OpenSCOpenSC0 < 0.27.0-rc1affected
OpenSCOpenSC0 < 3f24f0b48a481a8cf2e46059d8238a283ddc1c13affected

Weaknesses

  • CWE-121: Stack-based Buffer Overflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References