CVE-2026-14612
Received Received - Intake

Buffer Overflow in FreeIPA ipa-otpd OAuth2 Handler

Vulnerability report for CVE-2026-14612, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Red Hat, Inc.

Description

Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker who controls or can man-in-the-middle the IdP endpoint may be able to trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer. Exploitation requires FreeIPA to be configured with an external IdP, attacker control or MITM of that IdP, and a user to initiate the OAuth2 device authorization flow. The most likely impact is limited denial of service affecting the ipa-otpd daemon.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
freeipa freeipa *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14612 is a security vulnerability in FreeIPA's ipa-otpd daemon, specifically in its OAuth2 device authorization handler. It involves two off-by-one errors that cause out-of-bounds memory access when processing an oversized response from an external OAuth2/OIDC Identity Provider (IdP).

These errors include an out-of-bounds write where the code attempts to null-terminate a buffer just past its allocated size, and an out-of-bounds read where memory access calculations incorrectly handle buffer boundaries. Exploitation requires FreeIPA to be configured with an external IdP, attacker control or man-in-the-middle (MITM) capability over the IdP, and a user to initiate the OAuth2 device authorization flow.

Impact Analysis

The primary impact of this vulnerability is a limited denial of service (DoS) affecting the ipa-otpd daemon. An attacker who controls or can intercept the IdP endpoint may trigger the daemon to read or write one byte beyond a fixed-size buffer, potentially causing memory corruption.

Exploitation does not require FreeIPA admin credentials but does require control or interception of the IdP traffic and user interaction to start the OAuth2 device authorization flow. The conditions for exploitation are considered non-trivial.

Detection Guidance

Detection of this vulnerability involves monitoring the FreeIPA ipa-otpd daemon for abnormal behavior during OAuth2 device authorization flows, especially when interacting with an external OAuth2/OIDC Identity Provider (IdP). Since the issue is an off-by-one buffer overflow triggered by oversized responses from the IdP, one approach is to analyze logs for errors or crashes related to ipa-otpd.

Additionally, using debugging tools such as AddressSanitizer during testing can help confirm the presence of the off-by-one errors in the oauth2.c code handling the buffer.

There are no specific network commands provided in the resources, but general steps include capturing and inspecting OAuth2 device authorization traffic between FreeIPA and the external IdP to identify oversized or malformed responses.

Mitigation Strategies

Immediate mitigation steps include ensuring that FreeIPA is updated to a version where this vulnerability is fixed, as the issue arises from off-by-one errors in the ipa-otpd daemon's OAuth2 implementation.

Since exploitation requires control or man-in-the-middle capability over the external IdP and user interaction, securing the communication channel between FreeIPA and the external IdP (e.g., using TLS with strict certificate validation) can reduce risk.

If possible, temporarily disabling or restricting the use of external OAuth2/OIDC Identity Providers in FreeIPA configurations until a patch is applied can prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14612. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart