CVE-2026-40097
Received Received - Intake
Index Out-of-Bounds Panic in Step CA TPM Attestation

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40097
EUVD
EUVD-2026-21506
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
smallstep step-ca 0.30.0
smallstep step-ca 0.30.0
smallstep step-ca From 0.24.0 (inc) to 0.30.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details on how CVE-2026-40097 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40097 is a vulnerability in Step CA, an online certificate authority used for automated certificate management in DevOps. The issue occurs in versions from 0.24.0 to before 0.30.0-rc3 when processing TPM device attestation during a device-attest-01 ACME challenge.

An attacker can send a specially crafted Attestation Key (AK) certificate that contains an empty Extended Key Usage (EKU) extension. Step CA expects the EKU extension to include a specific OID (tcg-kp-AIKCertificate) and tries to access the first element of the EKU sequence. If the EKU is empty, this causes an index out-of-bounds panic, leading to a crash.

This vulnerability only affects deployments that use TPM device attestation with the device-attest-01 ACME challenge. It is fixed in version 0.30.0-rc3 by adding proper validation to reject empty EKU sequences.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. When Step CA processes a crafted AK certificate with an empty EKU extension, it triggers an index out-of-bounds panic, causing the service to crash or become unavailable.

This can disrupt automated certificate management workflows that rely on TPM device attestation, potentially causing downtime or interruptions in certificate issuance and renewal.

The vulnerability has a low severity score (CVSS 3.7) and requires a high attack complexity, as the attacker must craft a specific certificate and the system must be configured to use TPM attestation.

Detection Guidance

This vulnerability occurs when Step CA processes a device-attest-01 ACME challenge using TPM attestation with an Attestation Key (AK) certificate that contains an empty Extended Key Usage (EKU) extension. Detection involves identifying if such malformed AK certificates are being used or accepted by your Step CA deployment.

Since the vulnerability triggers an index out-of-bounds panic during EKU validation, monitoring Step CA logs for panic or crash messages related to EKU processing can help detect exploitation attempts.

To detect vulnerable certificates, you can extract and inspect the EKU extension of AK certificates used in TPM attestation. For example, using OpenSSL commands to examine the EKU extension in certificates involved in device attestation:

  • openssl x509 -in <certificate-file> -noout -text | grep -A1 'X509v3 Extended Key Usage'

Look for EKU extensions that are empty or missing the required tcg-kp-AIKCertificate OID (2.23.133.8.3). An empty EKU sequence or absence of this OID indicates a potentially crafted certificate that could trigger the vulnerability.

Additionally, monitoring network traffic for device-attest-01 ACME challenges with TPM attestation enabled can help identify if the vulnerable code path is in use.

Mitigation Strategies

The primary mitigation is to upgrade Step CA to version 0.30.0-rc3 or later, where the vulnerability is fixed by adding proper validation to reject AK certificates with empty EKU extensions.

If upgrading is not immediately possible, you should disable or remove any ACME provisioners that use TPM device attestation (device-attest-01) to prevent exploitation.

Monitoring and auditing your certificate issuance and attestation processes to ensure no malformed AK certificates with empty EKU extensions are accepted can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart