CVE-2025-49133
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-10

Last updated on: 2025-11-03

Assigner: GitHub, Inc.

Description
Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the β€˜CryptHmacSign’ function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the β€˜CryptHmacSign’ function, which is defined in the "Part 4: Supporting Routines – Code" document, section "7.151 - /tpm/src/crypt/CryptUtil.c ". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-10
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-06-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49133
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
libtpms_project libtpms 0.7.11
libtpms_project libtpms 0.8.9
libtpms_project libtpms 0.9.6
libtpms_project libtpms 0.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-49133 is a vulnerability in the libtpms library's CryptHmacSign function, caused by an inconsistent pairing of the signing key and signing scheme parameters. Specifically, when the signing key is of type ALG_KEYEDHASH but the signing scheme is an ECC or RSA scheme, this mismatch can lead to an out-of-bounds memory read. This triggers an assertion failure causing the libtpms process to abort. The issue arises because the function does not properly validate that the signing scheme is compatible with the key type before performing the HMAC signing operation. [1, 2]


How can this vulnerability impact me? :

This vulnerability can be exploited by a local user-mode application sending crafted commands to a TPM 2.0 or virtual TPM (vTPM) whose firmware is based on the affected libtpms implementation. Exploiting it causes libtpms to abort due to an out-of-bounds memory access, resulting in a denial of service (DoS) by making the vTPM unavailable to the virtual machine. This impacts availability but does not affect confidentiality or integrity. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the version of libtpms installed on your system. Versions 0.7.11, 0.8.9, 0.9.6, and 0.10.0 are vulnerable. There are no specific detection commands provided in the resources. However, you can verify the libtpms version using commands like 'libtpms --version' or by checking the package manager for the installed version. Additionally, monitoring for crashes or aborts in the vTPM (swtpm) service may indicate exploitation attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade libtpms to a patched version. The fixed versions are 0.7.12, 0.8.10, 0.9.7, and 0.10.1. There are no known workarounds. Upgrading to one of these versions will apply the necessary validation checks to prevent the out-of-bounds read and abort issues. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart