Impact
An attacker can craft a TPM event log that exploits the failure of the Google go‑attestation library to advance past vendor header bytes in the parseEfiSignatureList function. Because the parser reads vendor bytes as part of a hash list, the attacker’s chosen bytes can be appended to the trusted SHA‑256 hash database. This flaw enables the injection of arbitrary SHA‑256 hashes, allowing a remote attestation verifier to accept a compromised boot state—a classic integrity breach classified as CWE‑1285.
Affected Systems
All users of the Google go‑attestation library through version 0.6.0 are affected. The vulnerability exists in the default parsing logic and does not require any additional configuration. Versions 0.6.1 and later include the vendor header validation fix and are not impacted.
Risk and Exploitability
The CVSS score of 8.9 indicates high severity, and although the EPSS score is unavailable, the flaw’s potential to compromise the integrity of remote attestation systems makes it a significant risk. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a maliciously crafted TPM event log to an attestation verifier that processes untrusted or insufficiently validated logs; if used, the flaw could lead to successful integrity subversion of the boot process.
OpenCVE Enrichment