| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026012327-CVE-2025-71147-a296@gregkh> Date: Fri, 23 Jan 2026 15:15:27 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71147: KEYS: trusted: Fix a memory leak in tpm2_load_cmd From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. The Linux kernel CVE team has assigned CVE-2025-71147 to this issue. Affected and fixed versions =========================== Issue introduced in 5.13 with commit f2219745250f388edacabe6cca73654131c67d0a and fixed in 5.15.198 with commit 3fd7df4636d8fd5e3592371967a5941204368936 Issue introduced in 5.13 with commit f2219745250f388edacabe6cca73654131c67d0a and fixed in 6.1.160 with commit af0689cafb127a8d1af78cc8b72585c9b2a19ecd Issue introduced in 5.13 with commit f2219745250f388edacabe6cca73654131c67d0a and fixed in 6.6.120 with commit 19166de9737218b77122c41a5730ac87025e089f Issue introduced in 5.13 with commit f2219745250f388edacabe6cca73654131c67d0a and fixed in 6.12.64 with commit 9b015f2918b95bdde2ca9cefa10ef02b138aae1e Issue introduced in 5.13 with commit f2219745250f388edacabe6cca73654131c67d0a and fixed in 6.18.3 with commit 9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 Issue introduced in 5.13 with commit f2219745250f388edacabe6cca73654131c67d0a and fixed in 6.19-rc1 with commit 62cd5d480b9762ce70d720a81fa5b373052ae05f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71147 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: security/keys/trusted-keys/trusted_tpm2.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936 https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f
Powered by blists - more mailing lists