Source: libtpms Version: 0.10.1-2 Severity: important Tags: security upstream Forwarded: https://github.com/stefanberger/libtpms/issues/541 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libtpms. CVE-2026-21444[0]: | libtpms, a library that provides software emulation of a Trusted | Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The | commonly used integration of libtpms with OpenSSL 3.x contained a | vulnerability related to the returned IV (initialization vector) | when certain symmetric ciphers were used. Instead of returning the | last IV it returned the initial IV to the caller, thus weakening the | subsequent encryption and decryption steps. The highest threat from | this vulnerability is to data confidentiality. Version 0.10.2 fixes | the issue. No known workarounds are available. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21444 https://www.cve.org/CVERecord?id=CVE-2026-21444 [1] https://github.com/stefanberger/libtpms/issues/541 [2] https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f Regards, Salvatore
