CVE-2026-21444 – libtpms versions 0.10.0 and 0.10.1 have a crypt... (How to Fix)

Q: What is the severity of CVE-2026-21444?

CVE-2026-21444 has a CVSS score of 5.5 (MEDIUM). libtpms versions 0.10.0 and 0.10.1 have a cryptographic vulnerability where the library incorrectly returns the initial IV instead of the last IV when using certain symmetric ciphers with OpenSSL 3.x. This weakens subsequent encryption/decryption operations, potentially exposing sensitive TPM-protected data. Systems using libtpms with OpenSSL 3.x for TPM emulation are affected.

📋 TL;DR

libtpms versions 0.10.0 and 0.10.1 have a cryptographic vulnerability where the library incorrectly returns the initial IV instead of the last IV when using certain symmetric ciphers with OpenSSL 3.x. This weakens subsequent encryption/decryption operations, potentially exposing sensitive TPM-protected data. Systems using libtpms with OpenSSL 3.x for TPM emulation are affected.

💻 Affected Systems

Products:

libtpms

Versions: 0.10.0 through 0.10.1

Operating Systems: All operating systems using libtpms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using libtpms with OpenSSL 3.x integration. Systems using older OpenSSL versions or different cryptographic backends are not affected.

📦 What is this software?

Libtpms by Libtpms Project

View all CVEs affecting Libtpms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt TPM-protected data such as encryption keys, credentials, or sensitive configuration data, leading to complete system compromise.

🟠

Likely Case

Gradual weakening of encryption over multiple operations, potentially allowing partial decryption of protected data over time.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to specific TPM-dependent applications rather than full system compromise.

🌐 Internet-Facing: MEDIUM - While the vulnerability affects cryptographic operations, exploitation typically requires access to encrypted data streams or the ability to observe multiple encryption operations.

🏢 Internal Only: MEDIUM - Internal attackers with access to encrypted TPM data or the ability to observe cryptographic operations could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of cryptographic operations and access to encrypted data. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.2

Vendor Advisory: https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f

Restart Required: Yes

Instructions:

1. Download libtpms 0.10.2 from the official repository. 2. Stop all services using libtpms. 3. Compile and install the new version. 4. Restart affected services.

🔧 Temporary Workarounds

No known workarounds

all

The vulnerability is in the cryptographic implementation and cannot be mitigated without patching.

🧯 If You Can't Patch

Isolate systems using vulnerable libtpms versions from untrusted networks
Monitor for unusual cryptographic operations or data access patterns

🔍 How to Verify

Check if Vulnerable:

Check libtpms version with: ldd --version | grep libtpms or check package manager for installed version

Check Version:

pkg-config --modversion libtpms 2>/dev/null || echo "libtpms not found"

Verify Fix Applied:

Verify version is 0.10.2 or higher and check that OpenSSL 3.x is properly integrated

📡 Detection & Monitoring

Log Indicators:

Multiple failed cryptographic operations
Unusual TPM access patterns
Errors in libtpms initialization

Network Indicators:

Unusual encrypted traffic patterns from TPM-dependent services

SIEM Query:

source="*libtpms*" AND (error OR failed OR warning) AND (crypto OR encryption OR decrypt)

📊 Metadata

CVE ID: CVE-2026-21444

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-327

EPSS Score: 0% exploit probability (0.1th percentile)

Published: January 2, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a Patch
https://github.com/stefanberger/libtpms/issues/541 Exploit,Issue Tracking
https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21444, you might also want to check these: