Bug 2494800 - CVE-2026-12610 pam: Use-after-free crash in SSSD' 'sssd_pam' process [fedora-all]
Summary: CVE-2026-12610 pam: Use-after-free crash in SSSD' 'sssd_pam' process [fedora-...
Keywords:
Status: CLOSED DUPLICATE of bug 2494777
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: sssd-maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["a698ddf8-512e-456f-90fe-1...
Depends On:
Blocks: CVE-2026-12610
TreeView+ depends on / blocked
 
Reported: 2026-06-30 08:19 UTC by Srikanth Balasubramanian
Modified: 2026-06-30 09:32 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-06-30 09:32:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Srikanth Balasubramanian 2026-06-30 08:19:55 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

When authenticating with a YubiKey, the SSSD PAM responder crashes inside sss_certmap_match_cert because the sss_certmap_ctx pointer passed to it has already been freed and reused for string data from the p11_child response.
The pointer value 0x6e65687475412056 decodes to ASCII "V Auth en" which is part from the certificate label "X.509 Certificate for PIV Authentication" returned by p11_child. This confirms that the freed sss_certmap_ctx memory was reused during response parsing.

Root cause:
sss_certmap_ctx is owned by the PAM request state. If the request is cancelled or completes while the asynchronous p11_child process is still running, the request state (and the context) is freed. When the child eventually returns and p11_child_done / parse_p11_child_response run, they call sss_certmap_match_cert with a dangling pointer. The certificate data (token name, label, or certificate contents) then occupies the freed memory.

Impact:
Denial of service: The PAM responder crashes, breaking authentication in some cases.
Potential privilege escalation: Because an attacker controls the smartcard/YubiKey contents, they can influence the data that replaces the freed sss_certmap_ctx structure, turning this into a controlled use-after-free in a privileged, long-running process (although this looks hard to exploit).

Comment 1 Iker Pedrosa 2026-06-30 09:23:40 UTC
Moving to SSSD component

Comment 2 Alexey Tikhonov 2026-06-30 09:32:30 UTC

*** This bug has been marked as a duplicate of bug 2494777 ***


Note You need to log in before you can comment on or make changes to this bug.