Skip to main content

FreeIPA ipa-otpd CVE-2026-14612

| EUVDEUVD-2026-41554 MEDIUM
Out-of-bounds Write (CWE-787)
2026-07-03 redhat GHSA-fr6j-mfcv-pgmf
4.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
vuln.today AI
4.2 MEDIUM

MITM or IdP-control prerequisite drives AC:H; user-initiated flow requires UI:R; no privileges needed on FreeIPA system itself (PR:N); one-byte write supports I:L conservatively, daemon crash supports A:L.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Red Hat
4.2 LOW
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 15:46 vuln.today
CVE Published
Jul 03, 2026 - 15:11 cve.org
MEDIUM 4.2

DescriptionCVE.org

Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker who controls or can man-in-the-middle the IdP endpoint may be able to trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer. Exploitation requires FreeIPA to be configured with an external IdP, attacker control or MITM of that IdP, and a user to initiate the OAuth2 device authorization flow. The most likely impact is limited denial of service affecting the ipa-otpd daemon.

AnalysisAI

Two off-by-one errors in FreeIPA's ipa-otpd daemon expose RHEL 6 through 10 deployments configured with an external OAuth2/OIDC Identity Provider to out-of-bounds memory access during the device authorization flow. An attacker who controls or can man-in-the-middle the configured IdP endpoint can serve an oversized authorization response, triggering CWE-787 writes or reads one byte past a fixed-size buffer boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify FreeIPA deployment with external IdP configured
Delivery
Gain control of or MITM IdP endpoint
Exploit
Wait for user to initiate OAuth2 device authorization flow
Execution
Serve oversized IdP authorization response
Persist
Trigger off-by-one write past fixed buffer in ipa-otpd
Impact
Crash daemon, disrupting OTP and IdP-based authentication

Vulnerability AssessmentAI

Exploitation Three conditions must be simultaneously satisfied: (1) FreeIPA must be explicitly configured with an external OAuth2/OIDC Identity Provider - this is a non-default, administrator-provisioned configuration; standard FreeIPA deployments using only built-in OTP are not affected; (2) the attacker must control the external IdP endpoint (e.g., compromised or malicious IdP) or successfully perform a man-in-the-middle attack on the network path between the ipa-otpd daemon and the IdP, which drives the AC:H rating; (3) a legitimate FreeIPA user must actively initiate the OAuth2 device authorization flow, providing the required user interaction (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.2 (Medium) accurately reflects a constrained attack surface: high attack complexity (AC:H) requires the attacker to either compromise the external IdP or establish a man-in-the-middle position on the network path between ipa-otpd and the IdP, and user interaction (UI:R) is mandatory - a legitimate user must actively initiate the OAuth2 device authorization flow. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a man-in-the-middle position between the FreeIPA server and its configured external OAuth2/OIDC IdP endpoint intercepts the device authorization response and replaces it with a crafted oversized payload. When a legitimate user initiates the OAuth2 device flow - for example, during an MFA login attempt - ipa-otpd processes the malicious response, triggers the off-by-one write, and most likely crashes, disrupting OTP and IdP-based authentication for all users until the daemon restarts. …
Remediation Apply the Red Hat-released errata for ipa-otpd once available via standard RHEL subscription channels; consult https://access.redhat.com/security/cve/CVE-2026-14612 for the specific advisory and updated package version, which was not confirmed in the available data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

Share

CVE-2026-14612 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy