Bug 2496879 (CVE-2026-14612) - CVE-2026-14612 freeipa: ipa: idm: freeipa: off-by-one buffer overflows in ipa-otpd oauth2.c during OAuth2 device authorization [NEEDINFO]
Summary: CVE-2026-14612 freeipa: ipa: idm: freeipa: off-by-one buffer overflows in ipa...
Keywords:
Status: NEW
Alias: CVE-2026-14612
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2496886
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-03 14:53 UTC by OSIDB Bzimport
Modified: 2026-07-03 15:36 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
abokovoy: needinfo? (snegrini)


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-03 14:53:52 UTC
Two related off-by-one memory safety bugs in the FreeIPA ipa-otpd daemon,
in oauth2_on_child_readable() (daemons/ipa-otpd/oauth2.c). Confirmed by
reporter with AddressSanitizer on minimal reproducers. Verified against
upstream master (2026-07-03): vulnerable code still present.

Bug #1 — Out-of-bounds write (CWE-787), oauth2.c ~line 282
    static char buf[10240];
    io = read(verto_get_fd(ev), buf, 10240);
    if (io >= 0) {
        buf[io] = '\0';   // OOB when io == 10240
    }

Bug #2 — Out-of-bounds read (CWE-125), oauth2.c ~line 305
    rad_reply = memchr(buf, '\n', io);
    if (rad_reply != NULL) {
        *rad_reply = '\0';
        rad_reply++;
        end = memchr(rad_reply, '\n', io - (rad_reply - 1 - buf));  // off by 1
    }

Prerequisites:
1. FreeIPA configured with external IdP (ipa idp-add)
2. Attacker controls IdP endpoint or can MITM IdP traffic
3. A domain user initiates OAuth2 device authorization (kinit / IdP-backed account)

Requirements to exploit:
No FreeIPA admin credentials required on attacker side. Attacker operates at
the IdP layer. User interaction required to start the OAuth2 device flow.
Exploitation preconditions are non-trivial (IdP control/MITM + configured IdP).


Note You need to log in before you can comment on or make changes to this bug.