CVE-2026-40097

LOW EPSS 7.9%
Published Apr 10, 20262mo ago · Modified Jun 17, 20262w ago
3.7 CVSS 3.1
Low
Find Similar
Published Apr 10, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.

CVSS Details

Base Score
3.7
Exploitability
2.2
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
7.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-129

Affected Products 3

VendorProductVersionRange
smallstepstep-ca*≥0.24.0  –  <0.30.0
smallstepstep-ca0.30.0any
smallstepstep-ca0.30.0any

References 4

  • github.com https://github.com/smallstep/certificates/commit/ffd31ac0a87e03b0224cb8363094bfe602242888
    Patch
  • github.com https://github.com/smallstep/certificates/pull/2569
    Issue TrackingPatch
  • github.com https://github.com/smallstep/certificates/releases/tag/v0.30.0
    ProductRelease Notes
  • github.com https://github.com/smallstep/certificates/security/advisories/GHSA-9qq8-cgcv-qmc9
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/smallstep/certificates/commit/ffd31ac0a87e03b0224cb8363094bfe602242888
    Patch
  • github.com https://github.com/smallstep/certificates/pull/2569
    Issue TrackingPatch