CVE-2024-29039

CRITICAL

tpm2 <5.7 - Info Disclosure

Title source: llm

Description

tpm2 is the source repository for the Trusted Platform Module (TPM2.0) tools. This vulnerability allows attackers to manipulate tpm2_checkquote outputs by altering the TPML_PCR_SELECTION in the PCR input file. As a result, digest values are incorrectly mapped to PCR slots and banks, providing a misleading picture of the TPM state. This issue has been patched in version 5.7.

References (4)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/EFR7SVEWCOXORHPCLLGXEMHFMIGG2MFE/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/GI4JFEZBKQQUPJ4RWK6IHEWXAFCEJDPI/

[Exploit, Mitigation, Vendor Advisory] https://github.com/tpm2-software/tpm2-tools/security/advisories/GHSA-8rjm-5f5f-h4q6

[Release Notes] https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7

Scores

CVSS v3 9.0

EPSS 0.0171

EPSS Percentile 82.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-807

Status published

Products (1)

tpm2-tools_project/tpm2-tools < 5.7

Published Jun 28, 2024

Tracked Since Feb 18, 2026