CVE-2026-10275 is a buffer overflow vulnerability in OpenSC’s pkcs11-tool, specifically within the key generation and certificate writing functionality in pkcs11-tool.c. The flaw could allow an attacker to corrupt memory during PKCS#11 cryptographic operations, potentially leading to arbitrary code execution or service crashes. This matters because OpenSC is widely used to interact with hardware security modules (HSMs) and smart cards, including in Azure and hybrid environments.

Security Architect’s Take: Audit your Azure and on-premises environments for any workloads or pipelines using OpenSC’s pkcs11-tool — particularly those interacting with HSMs, smart cards, or PKCS#11 interfaces — and apply vendor patches as soon as they are available. Restrict access to key generation tooling to least-privilege service accounts and consider isolating these operations within hardened CI/CD environments.

Original advisory: CVE-2026-10275 OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_certwrite buffer overflow

CVE-2026-42014 is a use-after-free vulnerability in GnuTLS, a widely used cryptographic library, specifically in the function responsible for setting PKCS#11 token PINs. Use-after-free flaws occur when a programme continues to use memory after it has been freed, potentially allowing attackers to execute arbitrary code or cause a crash. This matters because GnuTLS underpins TLS/SSL operations in many Linux-based workloads, including those running on Azure.

Security Architect’s Take: Identify any Azure Linux VMs, containers, or services that use GnuTLS with PKCS#11 hardware security module (HSM) or token-based authentication, and prioritise patching the GnuTLS library to the remediated version. If patching cannot be applied immediately, consider restricting access to PKCS#11 token management interfaces as a compensating control.

Original advisory: CVE-2026-42014 Gnutls: fix use-after-free in gnutls_pkcs11_token_set_pin