VYPR
Low severity3.7NVD Advisory· Published Apr 10, 2026· Updated Apr 27, 2026

CVE-2026-40097

CVE-2026-40097

Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/smallstep/certificatesGo
>= 0.24.0, < 0.30.00.30.0

Affected products

4
  • Smallstep/Step Ca3 versions
    cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:*+ 2 more
    • cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:*
    • cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:*
    • cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:*range: >=0.24.0,<0.30.0
  • ghsa-coords
    Range: >= 0.24.0, < 0.30.0

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.