Nixpkgs security tracker

Permalink CVE-2026-40097

3.7 LOW

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 4 days, 11 hours ago

Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.

References

https://github.com/smallstep/certificates/security/advisories/GHSA-9qq8-cgcv-qmc9 x_refsource_CONFIRM
https://github.com/smallstep/certificates/pull/2569 x_refsource_MISC
https://github.com/smallstep/certificates/commit/ffd31ac0a87e03b0224cb8363094bfe602242888 x_refsource_MISC
https://github.com/smallstep/certificates/releases/tag/v0.30.0 x_refsource_MISC

Affected products

certificates

==>= 0.24.0, < 0.30.0-rc3

Matching in nixpkgs

pkgs.python312Packages.azure-keyvault-certificates

Microsoft Azure Key Vault Certificates Client Library for Python

nixos-25.11 4.10.0
- nixos-25.11-small 4.10.0
- nixpkgs-25.11-darwin 4.10.0

pkgs.python313Packages.azure-keyvault-certificates

Microsoft Azure Key Vault Certificates Client Library for Python

nixos-unstable 4.10.0
- nixpkgs-unstable 4.10.0
- nixos-unstable-small 4.10.0
nixos-25.11 4.10.0
- nixos-25.11-small 4.10.0
- nixpkgs-25.11-darwin 4.10.0

pkgs.python314Packages.azure-keyvault-certificates

Microsoft Azure Key Vault Certificates Client Library for Python

nixos-unstable 4.10.0
- nixpkgs-unstable 4.10.0
- nixos-unstable-small 4.10.0

pkgs.azure-sdk-for-cpp.security-keyvault-certificates

Azure Key Vault Certificates client library for C++

nixos-unstable 4.3.0-beta.4
- nixpkgs-unstable 4.3.0-beta.4
- nixos-unstable-small 4.3.0-beta.4

Package maintainers

@tobim Tobias Mayer <nix@tobim.fastmail.fm>

Permalink CVE-2026-30836

10.0 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 3 weeks, 5 days ago

Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.