CVE-2020-24455

MEDIUM

TPM2 <3.0.1, <2.4.3 - Privilege Escalation

Title source: llm

Description

Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4.3.

References (5)

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1902167

[Release Notes, Third Party Advisory] https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.3

[Release Notes, Third Party Advisory] https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.1

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7KPOENCMJU4DMT3BDNUBRK25B3DJ47UO/

[Third Party Advisory] https://security.gentoo.org/glsa/202107-10

Scores

CVSS v3 6.7

EPSS 0.0010

EPSS Percentile 27.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-909

Status published

Products (2)

fedoraproject/fedora 34

tpm2_software_stack_project/tpm2_software_stack < 2.4.3

Published Feb 26, 2021

Tracked Since Feb 18, 2026