CVE-2025-2884 — Out-of-bounds Read in Computing Group Tpm2.0

CWE-125 — Out-of-bounds Read7 documents6 sources

Severity

6.6MEDIUMNVD

EPSS

0.1%

top 78.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

8

Trusted Computing Group Tpm2.0 Msrc Windows 11 Version 22h2 FOR X64-based Systems Msrc Windows 11 Version 23h2 FOR X64-based Systems +5 more

Timeline

PublishedJun 10

Latest updateOct 14

Description

TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:HExploitability: 1.3 | Impact: 5.2

Affected Packages8 packages

▶CVEListV5trusted_computing_group/tpm2.0< 1.83

▶msrcmsrc/windows_server_2025

▶msrcmsrc/windows_server_2022_23h2_edition

▶msrcmsrc/windows_11_version_22h2_for_x64-based_systems

▶msrcmsrc/windows_11_version_23h2_for_x64-based_systems

🔴Vulnerability Details

1

GHSA

GHSA-3fxc-2crv-fg9x: TCG TPM2↗2025-06-10

▶

📋Vendor Advisories

1

Microsoft

Cert CC: CVE-2025-2884 Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation↗2025-10-14

▶

🕵️Threat Intelligence

4

Qualys

Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review | Qualys↗2025-10-14

▶

Qualys

Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review↗2025-10-14

▶

Bleepingcomputer

Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws↗2025-10-14

▶

Crowdstrike

October 2025 Patch Tuesday: Updates and Analysis↗

▶

CVE-2025-2884 — Out-of-bounds Read | cvebase