CVE-2026-40510 LOW

CVE-2026-40510: OpenSC < 0.27.0-rc1 Stack Buffer Overflow via piv_process_history() in card-piv.c

Vendor Opensc
Product OpenSC
Weakness CWE-121
Published May 29, 2026
Last update June 1, 2026

CVSS base score

1.0/10
Attack vector Physical
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longer than 118 bytes in the Key History Object ASN.1 response.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
June 1, 2026 Record updated