Bug 2496886 - CVE-2026-14612 freeipa: freeipa: off-by-one buffer overflows in ipa-otpd oauth2.c during OAuth2 device authorization [fedora-all]
Summary: CVE-2026-14612 freeipa: freeipa: off-by-one buffer overflows in ipa-otpd oaut...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["2f8a565a-d9ca-4111-b2c0-2...
Depends On:
Blocks: CVE-2026-14612
TreeView+ depends on / blocked
 
Reported: 2026-07-03 15:04 UTC by Samuele Negrini
Modified: 2026-07-08 10:47 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Samuele Negrini 2026-07-03 15:04:20 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Two related off-by-one memory safety bugs in the FreeIPA ipa-otpd daemon,
in oauth2_on_child_readable() (daemons/ipa-otpd/oauth2.c). Confirmed by
reporter with AddressSanitizer on minimal reproducers. Verified against
upstream master (2026-07-03): vulnerable code still present.

Bug #1 — Out-of-bounds write (CWE-787), oauth2.c ~line 282
    static char buf[10240];
    io = read(verto_get_fd(ev), buf, 10240);
    if (io >= 0) {
        buf[io] = '\0';   // OOB when io == 10240
    }

Bug #2 — Out-of-bounds read (CWE-125), oauth2.c ~line 305
    rad_reply = memchr(buf, '\n', io);
    if (rad_reply != NULL) {
        *rad_reply = '\0';
        rad_reply++;
        end = memchr(rad_reply, '\n', io - (rad_reply - 1 - buf));  // off by 1
    }

Prerequisites:
1. FreeIPA configured with external IdP (ipa idp-add)
2. Attacker controls IdP endpoint or can MITM IdP traffic
3. A domain user initiates OAuth2 device authorization (kinit / IdP-backed account)

Requirements to exploit:
No FreeIPA admin credentials required on attacker side. Attacker operates at
the IdP layer. User interaction required to start the OAuth2 device flow.
Exploitation preconditions are non-trivial (IdP control/MITM + configured IdP).

Comment 2 Alexander Bokovoy 2026-07-03 15:42:02 UTC
Public fix: https://github.com/freeipa/freeipa/pull/8473

We consider this a low priority.


Note You need to log in before you can comment on or make changes to this bug.