Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
MITM or IdP-control prerequisite drives AC:H; user-initiated flow requires UI:R; no privileges needed on FreeIPA system itself (PR:N); one-byte write supports I:L conservatively, daemon crash supports A:L.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker who controls or can man-in-the-middle the IdP endpoint may be able to trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer. Exploitation requires FreeIPA to be configured with an external IdP, attacker control or MITM of that IdP, and a user to initiate the OAuth2 device authorization flow. The most likely impact is limited denial of service affecting the ipa-otpd daemon.
AnalysisAI
Two off-by-one errors in FreeIPA's ipa-otpd daemon expose RHEL 6 through 10 deployments configured with an external OAuth2/OIDC Identity Provider to out-of-bounds memory access during the device authorization flow. An attacker who controls or can man-in-the-middle the configured IdP endpoint can serve an oversized authorization response, triggering CWE-787 writes or reads one byte past a fixed-size buffer boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must be simultaneously satisfied: (1) FreeIPA must be explicitly configured with an external OAuth2/OIDC Identity Provider - this is a non-default, administrator-provisioned configuration; standard FreeIPA deployments using only built-in OTP are not affected; (2) the attacker must control the external IdP endpoint (e.g., compromised or malicious IdP) or successfully perform a man-in-the-middle attack on the network path between the ipa-otpd daemon and the IdP, which drives the AC:H rating; (3) a legitimate FreeIPA user must actively initiate the OAuth2 device authorization flow, providing the required user interaction (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.2 (Medium) accurately reflects a constrained attack surface: high attack complexity (AC:H) requires the attacker to either compromise the external IdP or establish a man-in-the-middle position on the network path between ipa-otpd and the IdP, and user interaction (UI:R) is mandatory - a legitimate user must actively initiate the OAuth2 device authorization flow. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a man-in-the-middle position between the FreeIPA server and its configured external OAuth2/OIDC IdP endpoint intercepts the device authorization response and replaces it with a crafted oversized payload. When a legitimate user initiates the OAuth2 device flow - for example, during an MFA login attempt - ipa-otpd processes the malicious response, triggers the off-by-one write, and most likely crashes, disrupting OTP and IdP-based authentication for all users until the daemon restarts. … |
| Remediation | Apply the Red Hat-released errata for ipa-otpd once available via standard RHEL subscription channels; consult https://access.redhat.com/security/cve/CVE-2026-14612 for the specific advisory and updated package version, which was not confirmed in the available data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41554
GHSA-fr6j-mfcv-pgmf