CVE-2026-10275 is a buffer overflow vulnerability in OpenSC’s pkcs11-tool, specifically within the key generation and certificate writing functionality in pkcs11-tool.c. The flaw could allow an attacker to corrupt memory during PKCS#11 cryptographic operations, potentially leading to arbitrary code execution or service crashes. This matters because OpenSC is widely used to interact with hardware security modules (HSMs) and smart cards, including in Azure and hybrid environments.

Security Architect’s Take: Audit your Azure and on-premises environments for any workloads or pipelines using OpenSC’s pkcs11-tool — particularly those interacting with HSMs, smart cards, or PKCS#11 interfaces — and apply vendor patches as soon as they are available. Restrict access to key generation tooling to least-privilege service accounts and consider isolating these operations within hardened CI/CD environments.

Original advisory: CVE-2026-10275 OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_certwrite buffer overflow