Off-by-One Errors in FreeIPA's OAuth2 Device Authorization Handler Impacting Red Hat
CVE-2026-14612
4.2MEDIUM
What is CVE-2026-14612?
In the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler, two off-by-one errors can lead to out-of-bounds memory access when handling oversized responses from an external OAuth2/OIDC Identity Provider. This situation arises when FreeIPA is configured to interact with an external IdP under attacker control, or if the IdP endpoint is compromised through a man-in-the-middle attack. Exploitation of this vulnerability requires the user to initiate the OAuth2 device authorization process, potentially causing a limited denial of service for the ipa-otpd daemon.
References
CVSS V3.1
Score:
4.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Andrew Rukin (Arenadata) for reporting this issue.