SecuriTricks - CVE-2026-21444

Description

libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.

Product(s) Impacted

Vendor	Product	Versions
Libtpms	Libtpms	0.10.0, 0.10.1, <0.10.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	libtpms	libtpms	0.10.0	/	/	/	/	/	/	/
a	libtpms	libtpms	0.10.1	/	/	/	/	/	/	/
a	libtpms	libtpms	<0.10.2	/	/	/	/	/	/

References

https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a

https://github.com/stefanberger/libtpms/issues/541

https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f

CVSS Score

5.5 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

View Vector String

Timeline

Published: Jan. 2, 2026, 7:15 p.m.
Last Modified: Jan. 2, 2026, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2026-21444