CVE-2026-10275 Overview
CVE-2026-10275 is a buffer overflow vulnerability in OpenSC versions up to and including 0.26.1. The flaw resides in the test_kpgen_certwrite function within src/tools/pkcs11-tool.c, which is part of the pkcs11-tool Key Generation Module. Improper bounds checking on a URI-supplied object identifier allows a longer-than-expected value to be copied into a fixed-size buffer, triggering memory corruption [CWE-119].
The vulnerability is classified under the Common Weakness Enumeration as an Improper Restriction of Operations within the Bounds of a Memory Buffer. Exploitation requires user interaction and has high attack complexity. A patch is available under commit 814f745b3b6d100295f65f1935edd33d520d33ab.
Critical Impact
An attacker who supplies a crafted PKCS#11 URI can overflow a stack buffer in pkcs11-tool, leading to potential memory corruption and limited impact on confidentiality, integrity, and availability.
Affected Products
- OpenSC up to and including version 0.26.1
- pkcs11-tool utility within OpenSC
- src/tools/pkcs11-tool.c Key Generation Module
Discovery Timeline
- 2026-06-01 - CVE-2026-10275 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10275
Vulnerability Analysis
The vulnerability exists in OpenSC's pkcs11-tool, a command-line utility for interacting with PKCS#11 modules used for smart card and hardware token operations. The defect lies in the test_kpgen_certwrite function, which handles key pair generation and certificate write testing.
When the tool processes a PKCS#11 URI containing an object identifier (id field), it copies the identifier into a fixed-size buffer named opt_object_id without first verifying that the source length fits the destination. An attacker-controlled id_len value larger than sizeof(opt_object_id) results in a buffer overflow on the stack.
Root Cause
The root cause is a missing length check before a memcpy operation. The code copies opt_uri->id_len bytes into the static opt_object_id buffer without validating the source length. This violates safe boundary handling for PKCS#11 URI parsing.
Attack Vector
Exploitation requires the victim to invoke pkcs11-tool with a maliciously crafted PKCS#11 URI. Because user interaction is required and exploitation complexity is high, real-world abuse is constrained. The exploit has been published publicly, increasing the likelihood of opportunistic attempts.
// Patch from src/tools/pkcs11-tool.c
// Adds length validation before memcpy to prevent buffer overflow
}
if (opt_uri->id) {
opt_object_id_len = opt_uri->id_len;
+ if (opt_object_id_len > sizeof(opt_object_id))
+ util_fatal("URI's object ID too long");
memcpy(opt_object_id, opt_uri->id, opt_object_id_len);
}
}
Source: GitHub Commit 814f745b
Detection Methods for CVE-2026-10275
Indicators of Compromise
- Unexpected crashes or segmentation faults in pkcs11-tool processes recorded in system logs or core dumps.
- Execution of pkcs11-tool with --slot or --object arguments referencing PKCS#11 URIs containing abnormally long id= parameters.
- Presence of OpenSC builds at or below version 0.26.1 on endpoints that handle smart card or HSM workflows.
Detection Strategies
- Inventory installed OpenSC packages across Linux, macOS, and Windows hosts and flag versions ≤ 0.26.1.
- Audit command-line telemetry for pkcs11-tool invocations with PKCS#11 URI strings exceeding expected id field lengths.
- Correlate process crash events for pkcs11-tool with the user account and parent process that launched it.
Monitoring Recommendations
- Enable core dump collection and crash reporting for cryptographic tooling on workstations that interact with smart cards.
- Monitor execution of pkcs11-tool from non-interactive contexts such as scripts, scheduled tasks, or service accounts.
- Track package management events that install or update OpenSC and confirm patched versions are deployed.
How to Mitigate CVE-2026-10275
Immediate Actions Required
- Upgrade OpenSC to a version that includes commit 814f745b3b6d100295f65f1935edd33d520d33ab once it is released downstream.
- Restrict access to pkcs11-tool so that only trusted administrators and service accounts can execute it.
- Avoid passing untrusted PKCS#11 URIs to pkcs11-tool from scripts, automation, or user-provided input.
Patch Information
The OpenSC maintainers published the fix as commit 814f745b3b6d100295f65f1935edd33d520d33ab. The patch adds an explicit length check using util_fatal to abort execution when an object identifier in a PKCS#11 URI exceeds sizeof(opt_object_id). See the OpenSC pull request #3684 and issue #3682 for additional context.
Workarounds
- Disable or remove pkcs11-tool on systems that do not require PKCS#11 administration.
- Sanitize or reject PKCS#11 URIs that contain id= values exceeding the documented maximum length before passing them to OpenSC utilities.
- Apply the upstream patch manually by rebuilding OpenSC from source if a packaged update is not yet available.
# Verify installed OpenSC version and check for the patched commit
pkcs11-tool --version
# Example: rebuild from source with the upstream fix applied
git clone https://github.com/OpenSC/OpenSC.git
cd OpenSC
git cherry-pick 814f745b3b6d100295f65f1935edd33d520d33ab
./bootstrap && ./configure && make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
