Off-by-One Errors in FreeIPA's OAuth2 Device Authorization Handler Impacting Red Hat
CVE-2026-14612

4.2MEDIUM

What is CVE-2026-14612?

In the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler, two off-by-one errors can lead to out-of-bounds memory access when handling oversized responses from an external OAuth2/OIDC Identity Provider. This situation arises when FreeIPA is configured to interact with an external IdP under attacker control, or if the IdP endpoint is compromised through a man-in-the-middle attack. Exploitation of this vulnerability requires the user to initiate the OAuth2 device authorization process, potentially causing a limited denial of service for the ipa-otpd daemon.

References

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Andrew Rukin (Arenadata) for reporting this issue.
.