Skip to main content

OpenSC pkcs11-tool CVE-2026-10275

| EUVD-2026-33680 LOW
Classic Buffer Overflow (CWE-120)
2026-06-01 VulDB GHSA-c758-vvqj-x96q
Buffer Overflow Opensc
1.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 17:24 vuln.today
Analysis Generated
Jun 01, 2026 - 17:24 vuln.today
Severity Changed
Jun 01, 2026 - 17:22 NVD
MEDIUM LOW
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.0 (MEDIUM) 1.3 (LOW)

DescriptionCVE.org

A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue.

AnalysisAI

Buffer overflow in OpenSC's pkcs11-tool component (versions up to and including 0.26.1) exposes users of the key generation functionality to memory corruption when processing maliciously oversized PKCS#11 URI object IDs. An unauthenticated remote attacker can trigger the flaw in the test_kpgen_certwrite function, but exploitation requires passive user interaction and high attack complexity, reflected in the extremely low CVSS 4.0 score of 1.3 with impact limited to the vulnerable component only. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts PKCS#11 URI with oversized object ID
Delivery
Deliver crafted URI to target user via social engineering
Exploit
User runs pkcs11-tool key generation with malicious URI
Execution
test_kpgen_certwrite copies object ID without bounds check
Persist
opt_object_id buffer overflows into adjacent memory
Impact
Limited corruption of process confidentiality, integrity, or availability
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation specifically requires a user to invoke pkcs11-tool's key generation functionality and supply a PKCS#11 URI with an object ID whose length exceeds sizeof(opt_object_id) - this is the precise trigger confirmed by the patch diff adding the check 'if (opt_object_id_len > sizeof(opt_object_id))'. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 1.3 accurately reflects genuinely low real-world risk for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a PKCS#11 URI with an object ID field that exceeds the length of the opt_object_id buffer in pkcs11-tool, then socially engineers a target user into running a pkcs11-tool key generation command (--keypairgen or equivalent) with that malicious URI as input. When the oversized object ID is processed by test_kpgen_certwrite without the now-patched length check, adjacent memory is overwritten, yielding low-severity corruption of confidentiality, integrity, or availability within the pkcs11-tool process. …
Remediation Apply upstream fix commit 814f745b3b6d100295f65f1935edd33d520d33ab, available at https://github.com/OpenSC/OpenSC/commit/814f745b3b6d100295f65f1935edd33d520d33ab, which adds explicit bounds validation - checking opt_object_id_len against sizeof(opt_object_id) - at two code points in pkcs11-tool.c. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10275 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy