Description
libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
Published: 2026-01-02
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Confidentiality
Action: Patch
AI Analysis

Impact

The vulnerability in libtpms causes the library to return the initial initialization vector instead of the updated one when certain symmetric ciphers are used, thereby weakening the cryptographic strength of subsequent encryption and decryption operations. This flaw is a cryptographic weakness that undermines data confidentiality, making encrypted data more susceptible to decryption by an attacker. It is rooted in the improper handling of IVs and the use of a weak cryptographic algorithm, as indicated by the associated CWE identifiers.

Affected Systems

Affected versions are libtpms 0.10.0 and 0.10.1. The library is provided by stefanberger under the libtpms project and is commonly integrated with OpenSSL 3.x. Version 0.10.2 and later contain a fix that restores correct IV handling. No other product versions are listed as affected.

Risk and Exploitability

The CVSS vector indicates a medium severity (5.5). The EPSS score is below 1%, implying a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to operate in an environment where libtpms is used for encryption, and success would primarily compromise data confidentiality rather than achieving remote code execution or denial of service.

Generated by OpenCVE AI on April 18, 2026 at 08:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libtpms to version 0.10.2 or later
  • Rebuild or reconfigure any applications that link against libtpms so that they use the updated library version
  • Review cryptographic logs or use diagnostic tools to confirm that IVs are being correctly returned and applied

Generated by OpenCVE AI on April 18, 2026 at 08:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Libtpms Project
Libtpms Project libtpms
CPEs cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
Vendors & Products Libtpms Project
Libtpms Project libtpms

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 03 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 02 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
Title libtpms returns wrong initialization vector when certain symmetric ciphers are used
Weaknesses CWE-327
CWE-330
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Libtpms Project Libtpms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-05T20:37:42.203Z

Reserved: 2025-12-29T03:00:29.276Z

Link: CVE-2026-21444

cve-icon Vulnrichment

Updated: 2026-01-05T20:30:20.466Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T19:15:48.763

Modified: 2026-02-25T15:18:34.413

Link: CVE-2026-21444

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-02T19:05:31Z

Links: CVE-2026-21444 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses