Description
TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0
Published: 2025-06-10
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess
AI Analysis

Impact

The tracked vulnerability is an out‑of‑bounds read located in the CryptHmacSign helper function of the TCG TPM2.0 reference implementation. The issue arises because the function does not verify that the supplied signature scheme matches the algorithm used by the signature key, allowing an attacker to read memory contents beyond the bounds of a buffer. This read can potentially expose sensitive data stored in memory, thus compromising confidentiality. The weakness is identified as CWE‑125.

Affected Systems

The affected vendor is the Trusted Computing Group, providing the TPM2.0 reference implementation library. Any system that uses this reference implementation, particularly the versions prior to the errata revision 1.83, is susceptible. Exact version details are not disclosed beyond the reference to the errata release, indicating that earlier builds lack the necessary bounds checks.

Risk and Exploitability

With a CVSS score of 6.6, the risk is considered moderate. The EPSS score of less than 1% suggests a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, reducing immediate urgency. The attack likely requires a privilege that allows crafting a malicious signature or manipulating input to the CryptHmacSign function, which may be achievable through an application that interfaces directly with the TPM. Further exploitation beyond information disclosure is not documented in the available data.

Generated by OpenCVE AI on April 20, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TPM2.0 reference implementation to the latest errata revision (1.83) which includes the bounds‑check fix.
  • If upgrading the vendor library is not immediately possible, apply the specific commit (hash 04b2d8e9) from the libtpms repository that patches the CryptHmacSign helper.
  • Configure TPM client applications to validate the signature scheme against the signing key algorithm before invoking the helper, to enforce proper input validation.

Generated by OpenCVE AI on April 20, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17717 TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata 1.83 and advisory VRT0009 of TCG standard TPM2.0
History

Tue, 14 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00012}

 epss

{'score': 0.00014}

Fri, 13 Jun 2025 17:45:00 +0000

Type Values Removed Values Added
Description TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata 1.83 and advisory VRT0009 of TCG standard TPM2.0 TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0
References

Fri, 13 Jun 2025 02:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata 1.83 of TCG standard TPM2.0 TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata 1.83 and advisory VRT0009 of TCG standard TPM2.0
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Jun 2025 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 10 Jun 2025 17:45:00 +0000

Type Values Removed Values Added
Description TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata 1.83 of TCG standard TPM2.0
Title Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-14T08:58:06.200Z

Reserved: 2025-03-27T21:01:41.908Z

Link: CVE-2025-2884

cve-icon Vulnrichment

Updated: 2025-06-10T19:02:29.811Z

cve-icon NVD

Status : Deferred

Published: 2025-06-10T18:15:30.617

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses