Step CA, Index Out-of-Bounds Panic, CVE-2026-40097 (Low)

Listen to this Post

An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. The vulnerable function is validateAKCertificateExtendedKeyUsage, which lacked proper bounds checking before accessing the first element of the EKU list. An unauthenticated attacker can exploit this to cause a panic, leading to a denial of service (DoS) of the CA service. The vulnerability has a CVSS base score of 3.7, classified as low severity. The attack vector is network-based, with low availability impact, and requires no privileges or user interaction, but has high attack complexity due to the need for a specifically crafted certificate. The issue is fixed in version 0.30.0 and above.

dailycve form:

Platform: smallstep/step-ca
Version: 0.24.0 to 0.30.0-rc2
Vulnerability : Index Out-of-Bounds
Severity: Low (CVSS 3.7)
date: 2026-04-10

Prediction: Patched in v0.30.0

Analytics under What Undercode Say:

Check your Step CA version and TPM attestation usage:

step-ca --version
step ca provisioner list --format json | jq '.[] | select(.type=="ACME")'

Audit logs for panics:

journalctl -u step-ca --since "2026-04-10" | grep -i "panic|out-of-bounds"

Verify the fix is applied:

grep -r "validateAKCertificateExtendedKeyUsage" /path/to/step-ca/source/

Exploit:

Generate a self-signed AK certificate with an empty EKU extension
openssl req -new -x509 -key key.pem -out cert.pem -days 1 -config <(cat /etc/ssl/openssl.cnf <(printf "\n[ v3_req ]\nextendedKeyUsage="))
Use crafted certificate to trigger panic
step ca token --challenge device-attest-01 --ak-cert cert.pem

Protection from this CVE

Upgrade to Step CA v0.30.0 or later:

wget https://github.com/smallstep/certificates/releases/download/v0.30.0/step-ca_linux_amd64.tar.gz
sudo tar -xzf step-ca_linux_amd64.tar.gz -C /usr/local/bin/
sudo systemctl restart step-ca

If unable to upgrade, disable or remove ACME provisioners that use TPM device attestation (device-attest-01):

step ca provisioner remove <provisioner-name>
step ca provisioner add <provisioner-name> --type ACME --challenges tpm-attestation=off

Impact

An unauthenticated attacker can cause a denial of service (DoS) by crashing the Step CA process, rendering the CA service unavailable. This can disrupt certificate issuance and management operations. No data breach or privilege escalation is involved.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top