Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for libtpms by stefanberger

    CVE-2026-21444 (GCVE-0-2026-21444)

    Vulnerability from nvd – Published: 2026-01-02 19:05 – Updated: 2026-01-05 20:37
    VLAI
    Title
    libtpms returns wrong initialization vector when certain symmetric ciphers are used
    Summary
    libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    stefanberger libtpms Affected: >= 0.10.0, < 0.10.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21444",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-05T20:30:19.842839Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-05T20:37:42.203Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libtpms",
              "vendor": "stefanberger",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.10.0, \u003c 0.10.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-02T19:05:31.503Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f"
            },
            {
              "name": "https://github.com/stefanberger/libtpms/issues/541",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stefanberger/libtpms/issues/541"
            },
            {
              "name": "https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a"
            }
          ],
          "source": {
            "advisory": "GHSA-7jxr-4j3g-p34f",
            "discovery": "UNKNOWN"
          },
          "title": "libtpms returns wrong initialization vector when certain symmetric ciphers are used"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21444",
        "datePublished": "2026-01-02T19:05:31.503Z",
        "dateReserved": "2025-12-29T03:00:29.276Z",
        "dateUpdated": "2026-01-05T20:37:42.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-49133 (GCVE-0-2025-49133)

    Vulnerability from nvd – Published: 2025-06-10 19:46 – Updated: 2025-11-03 20:05
    VLAI
    Title
    Libtpms contains a possible out-of-bound access and abort due to HMAC signing issue
    Summary
    Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the ‘CryptHmacSign’ function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the ‘CryptHmacSign’ function, which is defined in the "Part 4: Supporting Routines – Code" document, section "7.151 - /tpm/src/crypt/CryptUtil.c ". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    stefanberger libtpms Affected: = 0.7.11
    Affected: = 0.8.9
    Affected: = 0.9.6
    Affected: = 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49133",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-10T20:00:47.887183Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-10T20:01:40.310Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:05:08.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.kb.cert.org/vuls/id/282450"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libtpms",
              "vendor": "stefanberger",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 0.7.11"
                },
                {
                  "status": "affected",
                  "version": "= 0.8.9"
                },
                {
                  "status": "affected",
                  "version": "= 0.9.6"
                },
                {
                  "status": "affected",
                  "version": "= 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the \u2018CryptHmacSign\u2019 function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the \u2018CryptHmacSign\u2019 function, which is defined in the \"Part 4: Supporting Routines \u2013 Code\" document, section \"7.151 - /tpm/src/crypt/CryptUtil.c \". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-10T19:46:27.397Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-25w5-6fjj-hf8g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-25w5-6fjj-hf8g"
            },
            {
              "name": "https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1"
            },
            {
              "name": "https://trustedcomputinggroup.org/resource/tpm-library-specification",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://trustedcomputinggroup.org/resource/tpm-library-specification"
            },
            {
              "name": "https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-4-Supporting-Routines-Code.pdf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-4-Supporting-Routines-Code.pdf"
            }
          ],
          "source": {
            "advisory": "GHSA-25w5-6fjj-hf8g",
            "discovery": "UNKNOWN"
          },
          "title": "Libtpms contains a possible out-of-bound access and abort due to HMAC signing issue"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-49133",
        "datePublished": "2025-06-10T19:46:27.397Z",
        "dateReserved": "2025-06-02T10:39:41.633Z",
        "dateUpdated": "2025-11-03T20:05:08.172Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21444 (GCVE-0-2026-21444)

    Vulnerability from cvelistv5 – Published: 2026-01-02 19:05 – Updated: 2026-01-05 20:37
    VLAI
    Title
    libtpms returns wrong initialization vector when certain symmetric ciphers are used
    Summary
    libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    stefanberger libtpms Affected: >= 0.10.0, < 0.10.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21444",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-05T20:30:19.842839Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-05T20:37:42.203Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libtpms",
              "vendor": "stefanberger",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.10.0, \u003c 0.10.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-02T19:05:31.503Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f"
            },
            {
              "name": "https://github.com/stefanberger/libtpms/issues/541",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stefanberger/libtpms/issues/541"
            },
            {
              "name": "https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a"
            }
          ],
          "source": {
            "advisory": "GHSA-7jxr-4j3g-p34f",
            "discovery": "UNKNOWN"
          },
          "title": "libtpms returns wrong initialization vector when certain symmetric ciphers are used"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21444",
        "datePublished": "2026-01-02T19:05:31.503Z",
        "dateReserved": "2025-12-29T03:00:29.276Z",
        "dateUpdated": "2026-01-05T20:37:42.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-49133 (GCVE-0-2025-49133)

    Vulnerability from cvelistv5 – Published: 2025-06-10 19:46 – Updated: 2025-11-03 20:05
    VLAI
    Title
    Libtpms contains a possible out-of-bound access and abort due to HMAC signing issue
    Summary
    Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the ‘CryptHmacSign’ function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the ‘CryptHmacSign’ function, which is defined in the "Part 4: Supporting Routines – Code" document, section "7.151 - /tpm/src/crypt/CryptUtil.c ". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    stefanberger libtpms Affected: = 0.7.11
    Affected: = 0.8.9
    Affected: = 0.9.6
    Affected: = 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49133",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-10T20:00:47.887183Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-10T20:01:40.310Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:05:08.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.kb.cert.org/vuls/id/282450"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libtpms",
              "vendor": "stefanberger",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 0.7.11"
                },
                {
                  "status": "affected",
                  "version": "= 0.8.9"
                },
                {
                  "status": "affected",
                  "version": "= 0.9.6"
                },
                {
                  "status": "affected",
                  "version": "= 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the \u2018CryptHmacSign\u2019 function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the \u2018CryptHmacSign\u2019 function, which is defined in the \"Part 4: Supporting Routines \u2013 Code\" document, section \"7.151 - /tpm/src/crypt/CryptUtil.c \". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-10T19:46:27.397Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-25w5-6fjj-hf8g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/stefanberger/libtpms/security/advisories/GHSA-25w5-6fjj-hf8g"
            },
            {
              "name": "https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1"
            },
            {
              "name": "https://trustedcomputinggroup.org/resource/tpm-library-specification",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://trustedcomputinggroup.org/resource/tpm-library-specification"
            },
            {
              "name": "https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-4-Supporting-Routines-Code.pdf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-4-Supporting-Routines-Code.pdf"
            }
          ],
          "source": {
            "advisory": "GHSA-25w5-6fjj-hf8g",
            "discovery": "UNKNOWN"
          },
          "title": "Libtpms contains a possible out-of-bound access and abort due to HMAC signing issue"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-49133",
        "datePublished": "2025-06-10T19:46:27.397Z",
        "dateReserved": "2025-06-02T10:39:41.633Z",
        "dateUpdated": "2025-11-03T20:05:08.172Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }