Search criteria
6 vulnerabilities found for TPM2.0 by Trusted Computing Group
CVE-2025-2884 (GCVE-0-2025-2884)
Vulnerability from nvd – Published: 2025-06-10 17:29 – Updated: 2026-04-14 08:58
VLAI
Title
Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation
Summary
TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 Out-of-bounds Read
- CWE-125 - Out-of-bounds Read
Assigner
References
8 references
Impacted products
25 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trusted Computing Group | TPM2.0 |
Affected:
0 , < 1.83
(custom)
|
|
| Siemens | SIMATIC CN 4100 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC Field PG M5 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC Field PG M6 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC BX-32A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC BX-39A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC BX-56A |
Affected:
0 , < V32.01.09
(custom)
|
|
| Siemens | SIMATIC IPC BX-59A |
Affected:
0 , < V32.01.09
(custom)
|
|
| Siemens | SIMATIC IPC MD-57A |
Affected:
0 , < V30.01.10
(custom)
|
|
| Siemens | SIMATIC IPC PX-32A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC PX-39A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC PX-39A PRO |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC RW-528A |
Affected:
0 , < V34.01.02
(custom)
|
|
| Siemens | SIMATIC IPC RW-548A |
Affected:
0 , < V34.01.02
(custom)
|
|
| Siemens | SIMATIC IPC227E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC277E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC427E |
Affected:
0 , < V21.01.20
(custom)
|
|
| Siemens | SIMATIC IPC477E |
Affected:
0 , < V21.01.20
(custom)
|
|
| Siemens | SIMATIC IPC477E PRO |
Affected:
0 , < V21.01.20
(custom)
|
|
| Siemens | SIMATIC IPC627E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC647E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC677E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC847E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC ITP1000 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIPLUS IPC427E |
Affected:
0 , < V21.01.20
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-06-10T19:02:29.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01209.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/282450"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2884",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T01:41:10.489446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T01:46:13.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC CN 4100",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC Field PG M5",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC Field PG M6",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-32A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-39A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-56A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V32.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-59A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V32.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC MD-57A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V30.01.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC PX-32A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC PX-39A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC PX-39A PRO",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC RW-528A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V34.01.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC RW-548A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V34.01.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC227E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC277E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC427E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC477E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC477E PRO",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC627E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC647E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC677E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC847E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC ITP1000",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS IPC427E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T08:58:06.200Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-628843.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"lessThan": "1.83",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TCG TPM2.0 Reference implementation\u0027s CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key\u0027s algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0"
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2884",
"selections": [
{
"name": "Exploitation",
"namespace": "ssvc",
"values": [
"none"
],
"version": "1.0.0"
},
{
"name": "Automatable",
"namespace": "ssvc",
"values": [
"no"
],
"version": "2.0.0"
},
{
"name": "Technical Impact",
"namespace": "ssvc",
"values": [
"partial"
],
"version": "1.0.0"
},
{
"name": "Mission \u0026 Well-being",
"namespace": "ssvc",
"values": [
"medium"
],
"version": "1.0.0"
}
],
"timestamp": "2025-06-13T17:22:30.584Z"
},
"type": "ssvcV1_0_1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T18:22:21.856Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "TPM2.0 Errata",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TPM2.0-Library-Spec-v1.83-Errata_v1_pub.pdf"
},
{
"name": "Vendor Advisory",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/VRT0009-Advisory-FINAL.pdf"
},
{
"name": "Vendor Patch",
"url": "https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1"
},
{
"name": "Related CVE",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49133"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation",
"x_generator": {
"engine": "VINCE 3.0.20",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-2884"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-2884",
"datePublished": "2025-06-10T17:29:19.463Z",
"dateReserved": "2025-03-27T21:01:41.908Z",
"dateUpdated": "2026-04-14T08:58:06.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-1017 (GCVE-0-2023-1017)
Vulnerability from nvd – Published: 2023-02-28 18:02 – Updated: 2025-11-04 19:14
VLAI
Title
TPM2.0 vulnerable to out-of-bounds write
Summary
An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.
Severity
No CVSS data available.
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trusted Computing Group | TPM2.0 |
Affected:
1.59
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.38
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.19
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:14:38.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"tags": [
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/782720"
},
{
"url": "https://www.kb.cert.org/vuls/id/782720"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.59"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.38"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.19"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francisco Falcon of Quarkslab"
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds write vulnerability exists in TPM2.0\u0027s Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-787 Out-of-bounds Write",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T19:09:18.722Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4 ",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"url": "https://kb.cert.org/vuls/id/782720"
}
],
"source": {
"discovery": "external"
},
"title": "TPM2.0 vulnerable to out-of-bounds write",
"x_generator": {
"engine": "VINCE 2.0.6",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1017"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2023-1017",
"datePublished": "2023-02-28T18:02:27.064Z",
"dateReserved": "2023-02-24T16:02:22.626Z",
"dateUpdated": "2025-11-04T19:14:38.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-1018 (GCVE-0-2023-1018)
Vulnerability from nvd – Published: 2023-02-28 17:54 – Updated: 2025-11-04 19:14
VLAI
Title
TPM2.0 vulnerable to out-of-bounds read
Summary
An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trusted Computing Group | TPM2.0 |
Affected:
1.59
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.38
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.16
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:14:39.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"tags": [
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/782720"
},
{
"url": "https://www.kb.cert.org/vuls/id/782720"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T18:38:17.368376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T18:38:47.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.59"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.38"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francisco Falcon of Quarkslab"
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in TPM2.0\u0027s Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T19:08:19.512Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4 ",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"url": "https://kb.cert.org/vuls/id/782720"
}
],
"source": {
"discovery": "external"
},
"title": "TPM2.0 vulnerable to out-of-bounds read ",
"x_generator": {
"engine": "VINCE 2.0.6",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1018"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2023-1018",
"datePublished": "2023-02-28T17:54:33.260Z",
"dateReserved": "2023-02-24T16:06:48.994Z",
"dateUpdated": "2025-11-04T19:14:39.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2884 (GCVE-0-2025-2884)
Vulnerability from cvelistv5 – Published: 2025-06-10 17:29 – Updated: 2026-04-14 08:58
VLAI
Title
Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation
Summary
TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 Out-of-bounds Read
- CWE-125 - Out-of-bounds Read
Assigner
References
8 references
Impacted products
25 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trusted Computing Group | TPM2.0 |
Affected:
0 , < 1.83
(custom)
|
|
| Siemens | SIMATIC CN 4100 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC Field PG M5 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC Field PG M6 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC BX-32A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC BX-39A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC BX-56A |
Affected:
0 , < V32.01.09
(custom)
|
|
| Siemens | SIMATIC IPC BX-59A |
Affected:
0 , < V32.01.09
(custom)
|
|
| Siemens | SIMATIC IPC MD-57A |
Affected:
0 , < V30.01.10
(custom)
|
|
| Siemens | SIMATIC IPC PX-32A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC PX-39A |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC PX-39A PRO |
Affected:
0 , < V29.01.09
(custom)
|
|
| Siemens | SIMATIC IPC RW-528A |
Affected:
0 , < V34.01.02
(custom)
|
|
| Siemens | SIMATIC IPC RW-548A |
Affected:
0 , < V34.01.02
(custom)
|
|
| Siemens | SIMATIC IPC227E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC277E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC427E |
Affected:
0 , < V21.01.20
(custom)
|
|
| Siemens | SIMATIC IPC477E |
Affected:
0 , < V21.01.20
(custom)
|
|
| Siemens | SIMATIC IPC477E PRO |
Affected:
0 , < V21.01.20
(custom)
|
|
| Siemens | SIMATIC IPC627E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC647E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC677E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC IPC847E |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC ITP1000 |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIPLUS IPC427E |
Affected:
0 , < V21.01.20
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-06-10T19:02:29.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01209.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/282450"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2884",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T01:41:10.489446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T01:46:13.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC CN 4100",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC Field PG M5",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC Field PG M6",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-32A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-39A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-56A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V32.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC BX-59A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V32.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC MD-57A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V30.01.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC PX-32A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC PX-39A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC PX-39A PRO",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V29.01.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC RW-528A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V34.01.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC RW-548A",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V34.01.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC227E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC277E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC427E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC477E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC477E PRO",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC627E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC647E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC677E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC IPC847E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC ITP1000",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS IPC427E",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V21.01.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T08:58:06.200Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-628843.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"lessThan": "1.83",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TCG TPM2.0 Reference implementation\u0027s CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key\u0027s algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0"
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2884",
"selections": [
{
"name": "Exploitation",
"namespace": "ssvc",
"values": [
"none"
],
"version": "1.0.0"
},
{
"name": "Automatable",
"namespace": "ssvc",
"values": [
"no"
],
"version": "2.0.0"
},
{
"name": "Technical Impact",
"namespace": "ssvc",
"values": [
"partial"
],
"version": "1.0.0"
},
{
"name": "Mission \u0026 Well-being",
"namespace": "ssvc",
"values": [
"medium"
],
"version": "1.0.0"
}
],
"timestamp": "2025-06-13T17:22:30.584Z"
},
"type": "ssvcV1_0_1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T18:22:21.856Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "TPM2.0 Errata",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TPM2.0-Library-Spec-v1.83-Errata_v1_pub.pdf"
},
{
"name": "Vendor Advisory",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/VRT0009-Advisory-FINAL.pdf"
},
{
"name": "Vendor Patch",
"url": "https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1"
},
{
"name": "Related CVE",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49133"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation",
"x_generator": {
"engine": "VINCE 3.0.20",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-2884"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-2884",
"datePublished": "2025-06-10T17:29:19.463Z",
"dateReserved": "2025-03-27T21:01:41.908Z",
"dateUpdated": "2026-04-14T08:58:06.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-1017 (GCVE-0-2023-1017)
Vulnerability from cvelistv5 – Published: 2023-02-28 18:02 – Updated: 2025-11-04 19:14
VLAI
Title
TPM2.0 vulnerable to out-of-bounds write
Summary
An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.
Severity
No CVSS data available.
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trusted Computing Group | TPM2.0 |
Affected:
1.59
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.38
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.19
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:14:38.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"tags": [
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/782720"
},
{
"url": "https://www.kb.cert.org/vuls/id/782720"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.59"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.38"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.19"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francisco Falcon of Quarkslab"
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds write vulnerability exists in TPM2.0\u0027s Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-787 Out-of-bounds Write",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T19:09:18.722Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4 ",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"url": "https://kb.cert.org/vuls/id/782720"
}
],
"source": {
"discovery": "external"
},
"title": "TPM2.0 vulnerable to out-of-bounds write",
"x_generator": {
"engine": "VINCE 2.0.6",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1017"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2023-1017",
"datePublished": "2023-02-28T18:02:27.064Z",
"dateReserved": "2023-02-24T16:02:22.626Z",
"dateUpdated": "2025-11-04T19:14:38.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-1018 (GCVE-0-2023-1018)
Vulnerability from cvelistv5 – Published: 2023-02-28 17:54 – Updated: 2025-11-04 19:14
VLAI
Title
TPM2.0 vulnerable to out-of-bounds read
Summary
An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trusted Computing Group | TPM2.0 |
Affected:
1.59
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.38
|
|
| Trusted Computing Group | TPM2.0 |
Affected:
1.16
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:14:39.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"tags": [
"x_transferred"
],
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"tags": [
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/782720"
},
{
"url": "https://www.kb.cert.org/vuls/id/782720"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T18:38:17.368376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T18:38:47.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.59"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.38"
}
]
},
{
"product": "TPM2.0",
"vendor": "Trusted Computing Group",
"versions": [
{
"status": "affected",
"version": "1.16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francisco Falcon of Quarkslab"
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in TPM2.0\u0027s Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T19:08:19.512Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "TCG TPM2.0 Errata Version 1.4 ",
"url": "https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf"
},
{
"name": "TCG Security Advisories",
"url": "https://trustedcomputinggroup.org/about/security/"
},
{
"name": "CERT/CC Advisory VU#782720",
"url": "https://kb.cert.org/vuls/id/782720"
}
],
"source": {
"discovery": "external"
},
"title": "TPM2.0 vulnerable to out-of-bounds read ",
"x_generator": {
"engine": "VINCE 2.0.6",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1018"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2023-1018",
"datePublished": "2023-02-28T17:54:33.260Z",
"dateReserved": "2023-02-24T16:06:48.994Z",
"dateUpdated": "2025-11-04T19:14:39.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}