HIGH Published 2026-01-13

tpm2-sessions name_size OOB

CVE-2025-68792

CVSS 7.3 / 10.0 KernelScan AI

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

01Description

In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers with low privileges can trigger out-of-bounds memory access in the TPM2 session handling code by providing malformed TPM algorithm IDs. This leads to bounded out-of-bounds reads and heap memory corruption, which can be exploited for privilege escalation or cause system crashes on systems with TPM 2.0 hardware and HMAC session support enabled.

Affecteddrivers/char/tpm/tpm2-sessions.c (TPM subsystem)

Vulnerability analysis

The vulnerability exists in the name_size() function which directly uses a TPM algorithm ID (TPM_ALG_ID) from untrusted input as an array index into a static size_map array without bounds checking. An attacker can provide a malformed TPM name with an out-of-range algorithm ID, causing the function to read beyond the array bounds and return an attacker-influenced size value. This size is subsequently used in memcpy() and sha256_update(), resulting in out-of-bounds reads from kernel heap memory and a bounded heap buffer overflow. The fix replaces the vulnerable array indexing with a switch statement that validates known algorithm values and returns -EINVAL for unrecognized ones. Additionally, the patch makes tpm_buf_append_name() and tpm_buf_fill_hmac_session() return error codes and properly handle failures by ending authorization sessions when corruption is detected.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.66	`47e676ce4d68`
6.18	6.18.3	`04a3aa6e8c5f`
mainline	6.19	`6e9722e9a7bf`