CVE-2025-49133: 
Linux Debian vulnerability analysis and mitigation

Libtpms, a library targeting TPM functionality integration into hypervisors (primarily Qemu), contains a potential out-of-bounds (OOB) read vulnerability. The vulnerability, identified as CVE-2025-49133, was discovered in the 'CryptHmacSign' function where an inconsistent pairing of the signKey and signScheme parameters occurs when the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme (GitHub Advisory).

The vulnerability is located in the 'CryptHmacSign' function, which is defined in the TPM 2.0 reference implementation's 'Part 4: Supporting Routines – Code' document, section '7.151 - /tpm/src/crypt/CryptUtil.c'. The issue stems from an inconsistent pairing of cryptographic parameters, specifically when the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause an abort due to the detection of the out-of-bounds access, making a virtual TPM (swtpm) unavailable to a Virtual Machine. This can lead to service disruption for affected systems, particularly impacting virtualized environments that rely on TPM functionality (GitHub Advisory).

The vulnerability has been fixed in libtpms versions 0.7.12, 0.8.10, 0.9.7, and 0.10.1. Users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (GitHub Advisory).