assuan_release function called from agent_reset_daemon in agent/command.c at line 4151 is not run on primary_ctx variable (primary_scd_ctx for LTS version) and thus the outbound buffer containing the PIN stays in clear in memory. The content the buffer stays in memory even after the smartcard is removed physically.
To reproduce the problem on latest GPG version (after the PIN of the dongle has been entered once):
bash gdp gpg-agent (gdb) attach <PID> Attaching to program: /usr/local/bin/gpg-agent, process <PID> (gdb) b agent_cache_housekeeping Breakpoint 1 at 0x55571151c400: file cache.c, line 278. (gdb) c Continuing. Thread 1 "gpg-agent" hit Breakpoint 1, agent_cache_housekeeping () at cache.c:278 278 if (DBG_CACHE) (gdb) p daemon_global[DAEMON_SCD].primary_ctx->outbound.data.line $9 = "D 13371337", '\000' <repeats 82 times>, "\n", '\000' <repeats 908 times>
For LTS version:
bash p primary_scd_ctx.outbound->data->line
This have been tested with a Yubikey 4 dongle.