Bug 2426858 (CVE-2026-21444)

Summary: CVE-2026-21444 limtpms: libtpms: Remote data confidentiality compromise via incorrect Initialization Vector (IV) handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: geodashgame.io
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libtpms, a library for Trusted Platform Module (TPM) emulation. An attacker with low privileges could exploit this vulnerability when libtpms is integrated with OpenSSL 3.x and certain symmetric ciphers are used. The library incorrectly returns the initial Initialization Vector (IV) instead of the last one, weakening subsequent encryption and decryption operations and potentially compromising data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2426890, 2426891    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-02 20:02:16 UTC 
libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
Comment 3 London White 2026-01-06 03:50:39 UTC 
One of my projects ( https://geodashgame.io running on Linux) pulls in libtpms via the OpenSSL 3.x stack, and I've confirmed that versions 0.10.0 and 0.10.1 are present in my current setup.