Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.

INFO

Published Date :

2026-04-10T16:34:53.330Z

Last Modified :

2026-04-10T18:30:15.176Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40097 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40097.

URL Resource
https://github.com/smallstep/certificates/commit/ffd31ac0a87e03b0224cb8363094bfe602242888 cve-icon cve-icon
https://github.com/smallstep/certificates/pull/2569 cve-icon cve-icon
https://github.com/smallstep/certificates/releases/tag/v0.30.0 cve-icon cve-icon
https://github.com/smallstep/certificates/security/advisories/GHSA-9qq8-cgcv-qmc9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact