CVE-2025-71077

// CVE-2025-71077 PoC - Linux Kernel TPM PCR Banks Limit Bypass // This PoC demonstrates how an unbounded number of PCR banks can cause issues // Note: Actual exploitation requires kernel access and TPM device interaction #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulated vulnerable function from Linux kernel void tpm2_get_pcr_allocation_vulnerable(int num_banks) { printf("Processing %d PCR banks...\n", num_banks); // Vulnerable: No upper limit check on num_banks // In real kernel, this would allocate memory for each bank int *bank_data = malloc(num_banks * sizeof(int)); if (bank_data == NULL) { printf("Memory allocation failed for %d banks\n", num_banks); return; } // Process each bank (simplified simulation) for (int i = 0; i < num_banks; i++) { bank_data[i] = i * 0x100; } printf("Successfully processed %d PCR banks\n", num_banks); free(bank_data); } // Fixed version with proper limit check void tpm2_get_pcr_allocation_fixed(int num_banks) { #define MAX_PCR_BANKS 8 printf("Processing %d PCR banks...\n", num_banks); // Fixed: Enforce upper limit if (num_banks > MAX_PCR_BANKS) { printf("ERROR: Number of PCR banks (%d) exceeds maximum limit (%d)\n", num_banks, MAX_PCR_BANKS); return; } int *bank_data = malloc(num_banks * sizeof(int)); if (bank_data == NULL) { printf("Memory allocation failed for %d banks\n", num_banks); return; } for (int i = 0; i < num_banks; i++) { bank_data[i] = i * 0x100; } printf("Successfully processed %d PCR banks\n", num_banks); free(bank_data); } int main() { printf("=== CVE-2025-71077 PoC Demonstration ===\n\n"); printf("[Test 1] Normal case (4 banks):\n"); tpm2_get_pcr_allocation_vulnerable(4); printf("\n"); printf("[Test 2] Malicious case (1000 banks) - Vulnerable version:\n"); tpm2_get_pcr_allocation_vulnerable(1000); printf("\n"); printf("[Test 3] Malicious case (1000 banks) - Fixed version:\n"); tpm2_get_pcr_allocation_fixed(1000); printf("\n"); printf("=== End of PoC ===\n"); return 0; }

{"cve": {"id": "CVE-2025-71077", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:07.200", "lastModified": "2026-03-25T19:00:14.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Cap the number of PCR banks\n\ntpm2_get_pcr_allocation() does not cap any upper limit for the number of\nbanks. Cap the limit to eight banks so that out of bounds values coming\nfrom external I/O cause on only limited harm."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ntpm: Limitar el número de bancos PCR\n\ntpm2_get_pcr_allocation() no establece ningún límite superior para el número de bancos. Establecer el límite en ocho bancos para que los valores fuera de límites provenientes de E/S externa causen solo un daño limitado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1.1", "versionEndExcluding": "5.10.248", "matchCriteriaId": "5AFA252E-18DC-485A-A9C3-C5E6770F5D96"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.1:-:*:*:*:*:*:*", "matchCriteriaId": "D89FA266-EDB9-412A-B18E-1B5A0FCC3C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/ ... (truncated)