Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.
AnalysisAI
Step CA versions 0.24.0 through 0.30.0-rc2 suffer a denial-of-service vulnerability where an attacker can trigger an index out-of-bounds panic by sending a crafted TPM attestation key certificate with an empty Extended Key Usage extension during device-attest-01 ACME challenges. The vulnerability affects only deployments that have explicitly configured TPM device attestation; organizations using Step CA for standard certificate management are unaffected. While the CVSS score is low (3.7), the attack is unauthenticated and remotely triggerable, potentially causing service disruption in vulnerable configurations.
Technical ContextAI
Step CA implements TPM device attestation for the device-attest-01 ACME challenge type, which validates that an attestation key certificate contains the tcg-kp-AIKCertificate Extended Key Usage (EKU) OID. The vulnerability stems from an unsafe array access pattern in the EKU validation logic: when an EKU extension is decoded from its ASN.1 representation, the code assumes the decoded value is a non-empty sequence and directly accesses the first element without bounds checking (CWE-129: Improper Validation of Array Index). A maliciously crafted AK certificate can include an EKU extension that decodes to an empty sequence, causing the Go runtime to panic when the code attempts index [0] on a zero-length slice. This is classified as a buffer overflow variant because it represents unsafe memory/slice access. The vulnerability is restricted to the TPM attestation code path and only manifests when device-attest-01 challenges are configured, limiting its blast radius.
RemediationAI
Vendor-released patch: upgrade to Step CA version 0.30.0 or later, which contains the fix. Organizations unable to upgrade immediately should temporarily disable TPM device attestation in their Step CA configuration to eliminate the attack surface. The upstream fix is documented in commit ffd31ac0a87e03b0224cb8363094bfe602242888 and pull request https://github.com/smallstep/certificates/pull/2569; the patched release is available at https://github.com/smallstep/certificates/releases/tag/v0.30.0. After patching, verify that EKU validation correctly handles both empty and non-empty sequences to prevent regression.
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21506
GHSA-9qq8-cgcv-qmc9