2426858 – (CVE-2026-21444) CVE-2026-21444 limtpms: libtpms: Remote data confidentiality compromise via incorrect Initialization Vector (IV) handling

Bug 2426858 (CVE-2026-21444) - CVE-2026-21444 limtpms: libtpms: Remote data confidentiality compromise via incorrect Initialization Vector (IV) handling

Summary: CVE-2026-21444 limtpms: libtpms: Remote data confidentiality compromise via i...

Keywords:
Status:	NEW
Alias:	CVE-2026-21444
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2426890 2426891
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-02 20:02 UTC by OSIDB Bzimport
Modified:	2026-01-02 21:12 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-02 20:02:16 UTC

libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.

Note You need to log in before you can comment on or make changes to this bug.