Security Vulnerability Report
中文
CVE-2026-40097 CVSS 3.7 LOW

CVE-2026-40097

Published: 2026-04-10 17:17:13
Last Modified: 2026-04-27 13:40:24
Source: [email protected]

Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.

CVSS Details

CVSS Score
3.7
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:* - VULNERABLE
Step CA 0.24.0
Step CA < 0.30.0-rc3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import os import sys # This script demonstrates the concept of triggering CVE-2026-40097. # The vulnerability is triggered by sending a TPM Attestation Key (AK) certificate # with an empty Extended Key Usage (EKU) extension to a vulnerable Step CA server. def generate_exploit_concept(): print("[+] Concept for CVE-2026-40097 PoC") print("[+] Target: Step CA < 0.30.0-rc3 with TPM attestation enabled") print("[+] Mechanism: Send AK cert with empty EKU extension (ASN.1 SEQUENCE length 0)") # In a real exploit, one would use an ASN.1 library to construct a certificate # where the EKU extension (OID 2.5.29.37) contains an empty sequence. # Example raw bytes for the EKU extension value: # 0x30 0x00 (SEQUENCE, length 0) exploit_payload_description = """ Malformed Certificate Structure: - Subject: ... - Extensions: - Extended Key Usage: <EMPTY SEQUENCE> (Normally contains OIDs like 2.23.133.8.3 for AIK) """ print(exploit_payload_description) print("[+] Sending this certificate during ACME 'device-attest-01' challenge will cause a panic.") if __name__ == "__main__": generate_exploit_concept()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40097", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:12.823", "lastModified": "2026-04-27T13:40:24.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:*", "versionStartIncluding": "0.24.0", "versionEndExcluding": "0.30.0", "matchCriteriaId": "ABA8B83F-37DD-4755-AFB6-CD76AF8A4F4A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:*", "matchCriteriaId": "D49EF50A-2928-4577-A5AD-0CD81C9E1AE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:*", "matchCriteriaId": "E238C89C-4A97-4FA1-8DE0-9FE51CDF59B9"}]}]}], "references": [{"url": "https://github.com/smallstep/certificates/commit/ffd31ac0a87e03b0224cb8363094bfe602242888", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/smallstep/certificates/pull/2569", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/smallstep/certificates/security/advisories/GHSA-9qq8-cgcv-qmc9", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.