CVE-2025-68792 (GCVE-0-2025-68792)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
Title
tpm2-sessions: Fix out of range indexing in name_size
Summary
In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1085b8276bb4239daa7008f0dcd5c973e4bd690f , < 04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43 (git)
Affected: 1085b8276bb4239daa7008f0dcd5c973e4bd690f , < 6e9722e9a7bfe1bbad649937c811076acf86e1fd (git)
Create a notification for this product.
    Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/tpm/tpm2-cmd.c",
            "drivers/char/tpm/tpm2-sessions.c",
            "include/linux/tpm.h",
            "security/keys/trusted-keys/trusted_tpm2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43",
              "status": "affected",
              "version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
              "versionType": "git"
            },
            {
              "lessThan": "6e9722e9a7bfe1bbad649937c811076acf86e1fd",
              "status": "affected",
              "version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/tpm/tpm2-cmd.c",
            "drivers/char/tpm/tpm2-sessions.c",
            "include/linux/tpm.h",
            "security/keys/trusted-keys/trusted_tpm2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm2-sessions: Fix out of range indexing in name_size\n\n\u0027name_size\u0027 does not have any range checks, and it just directly indexes\nwith TPM_ALG_ID, which could lead into memory corruption at worst.\n\nAddress the issue by only processing known values and returning -EINVAL for\nunrecognized values.\n\nMake also \u0027tpm_buf_append_name\u0027 and \u0027tpm_buf_fill_hmac_session\u0027 fallible so\nthat errors are detected before causing any spurious TPM traffic.\n\nEnd also the authorization session on failure in both of the functions, as\nthe session state would be then by definition corrupted."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T15:29:04.226Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd"
        }
      ],
      "title": "tpm2-sessions: Fix out of range indexing in name_size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68792",
    "datePublished": "2026-01-13T15:29:04.226Z",
    "dateReserved": "2025-12-24T10:30:51.037Z",
    "dateUpdated": "2026-01-13T15:29:04.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68792\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-13T16:16:01.090\",\"lastModified\":\"2026-01-13T16:16:01.090\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntpm2-sessions: Fix out of range indexing in name_size\\n\\n\u0027name_size\u0027 does not have any range checks, and it just directly indexes\\nwith TPM_ALG_ID, which could lead into memory corruption at worst.\\n\\nAddress the issue by only processing known values and returning -EINVAL for\\nunrecognized values.\\n\\nMake also \u0027tpm_buf_append_name\u0027 and \u0027tpm_buf_fill_hmac_session\u0027 fallible so\\nthat errors are detected before causing any spurious TPM traffic.\\n\\nEnd also the authorization session on failure in both of the functions, as\\nthe session state would be then by definition corrupted.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.