Skip to main content

Certificates CVE-2026-40097

| EUVDEUVD-2026-21506 LOW
Improper Validation of Array Index (CWE-129)
2026-04-10 GitHub_M GHSA-9qq8-cgcv-qmc9
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 10, 2026 - 17:15 euvd
EUVD-2026-21506
Analysis Generated
Apr 10, 2026 - 17:15 vuln.today
CVE Published
Apr 10, 2026 - 16:34 nvd
LOW 3.7

DescriptionGitHub Advisory

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.

AnalysisAI

Step CA versions 0.24.0 through 0.30.0-rc2 suffer a denial-of-service vulnerability where an attacker can trigger an index out-of-bounds panic by sending a crafted TPM attestation key certificate with an empty Extended Key Usage extension during device-attest-01 ACME challenges. The vulnerability affects only deployments that have explicitly configured TPM device attestation; organizations using Step CA for standard certificate management are unaffected. While the CVSS score is low (3.7), the attack is unauthenticated and remotely triggerable, potentially causing service disruption in vulnerable configurations.

Technical ContextAI

Step CA implements TPM device attestation for the device-attest-01 ACME challenge type, which validates that an attestation key certificate contains the tcg-kp-AIKCertificate Extended Key Usage (EKU) OID. The vulnerability stems from an unsafe array access pattern in the EKU validation logic: when an EKU extension is decoded from its ASN.1 representation, the code assumes the decoded value is a non-empty sequence and directly accesses the first element without bounds checking (CWE-129: Improper Validation of Array Index). A maliciously crafted AK certificate can include an EKU extension that decodes to an empty sequence, causing the Go runtime to panic when the code attempts index [0] on a zero-length slice. This is classified as a buffer overflow variant because it represents unsafe memory/slice access. The vulnerability is restricted to the TPM attestation code path and only manifests when device-attest-01 challenges are configured, limiting its blast radius.

RemediationAI

Vendor-released patch: upgrade to Step CA version 0.30.0 or later, which contains the fix. Organizations unable to upgrade immediately should temporarily disable TPM device attestation in their Step CA configuration to eliminate the attack surface. The upstream fix is documented in commit ffd31ac0a87e03b0224cb8363094bfe602242888 and pull request https://github.com/smallstep/certificates/pull/2569; the patched release is available at https://github.com/smallstep/certificates/releases/tag/v0.30.0. After patching, verify that EKU validation correctly handles both empty and non-empty sequences to prevent regression.

Share

CVE-2026-40097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy