CVE-2024-42255

tpm: Use auth only after NULL check in tpm_buf_check_hmac_response()

Description

In the Linux kernel, the following vulnerability has been resolved: tpm: Use auth only after NULL check in tpm_buf_check_hmac_response() Dereference auth after NULL check in tpm_buf_check_hmac_response(). Otherwise, unless tpm2_sessions_init() was called, a call can cause NULL dereference, when TCG_TPM2_HMAC is enabled. [jarkko: adjusted the commit message.]

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.03%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/b9afbb9a0c734197c59c43610071041044bf1562 patch
https://git.kernel.org/stable/c/7dc357d343f134bf59815ff6098b93503ec8a23b patch

Frequently Asked Questions

What is the severity of CVE-2024-42255?
CVE-2024-42255 has been scored as a medium severity vulnerability.
How to fix CVE-2024-42255?
To fix CVE-2024-42255, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-42255 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-42255 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-42255?
CVE-2024-42255 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.