Index Out-of-Bounds Vulnerability in Step CA Certificate Management Software
CVE-2026-40097

3.7LOW

Key Information:

Vendor

Smallstep

Status
Certificates
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40097?

Step CA, an online certificate authority designed for securing automated certificate management, contains a vulnerability that affects its handling of attestation key certificates during TPM device attestation. Specifically, in versions 0.24.0 to just before 0.30.0-rc3, an attacker could exploit this vulnerability by submitting a malformed attestation key certificate that lacks a proper Extended Key Usage (EKU) extension. This flawed EKU could lead to an index out-of-bounds panic when the system tries to access the first element of an empty sequence during its validation process. It is important to note that this vulnerability is only relevant in deployments where device-attest-01 ACME challenges with TPM attestation are utilized, leaving other configurations unaffected. The issue has been resolved in version 0.30.0-rc3.

Affected Version(s)

certificates >= 0.24.0, < 0.30.0-rc3

References

https://github.com/smallstep/certificates/security/adviso...
x_refsource_CONFIRM
https://github.com/smallstep/certificates/pull/2569
x_refsource_MISC
https://github.com/smallstep/certificates/commit/ffd31ac0...
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.