The vulnerability identified as CVE-2026-21444 affects libtpms, a software library that emulates Trusted Platform Module (TPM) functionality. Specifically, versions 0.10.0 and 0.10.1 of libtpms, when integrated with OpenSSL 3.x, exhibit a cryptographic flaw related to the handling of the initialization vector (IV) during symmetric encryption operations. Instead of returning the last IV used in the encryption process, libtpms erroneously returns the initial IV to the caller. This incorrect IV handling weakens the cryptographic strength of subsequent encryption and decryption steps, thereby compromising the confidentiality of the data processed by the library. The vulnerability is categorized under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-330 (Use of Insufficiently Random Values). The flaw does not affect data integrity or availability, and exploitation requires local privileges with no user interaction needed. The vulnerability has a CVSS v3.1 base score of 5.5, indicating medium severity. The issue was resolved in libtpms version 0.10.2. No known workarounds are available, emphasizing the need for patching. No exploits have been reported in the wild to date.

For European organizations, the primary impact of CVE-2026-21444 is the potential compromise of data confidentiality within environments that utilize libtpms for TPM emulation, especially where OpenSSL 3.x is employed. This could affect virtualized systems, secure boot processes, or cryptographic operations relying on TPM functionality. Confidential data protected by these cryptographic operations may be exposed or weakened, increasing the risk of data breaches or unauthorized data disclosure. Although the vulnerability requires local privileges, insider threats or attackers who have gained limited access could exploit it to weaken encryption protections. The absence of impact on integrity and availability reduces the risk of system disruption or data tampering. However, given the critical role of TPMs in hardware-based security, the vulnerability could undermine trust in security mechanisms, affecting compliance with European data protection regulations such as GDPR. Organizations in sectors with high security requirements, including finance, government, and critical infrastructure, may face increased risk if the vulnerability remains unpatched.

European organizations should immediately upgrade libtpms to version 0.10.2 or later to remediate the vulnerability. Since no workarounds exist, patching is the only effective mitigation. Additionally, organizations should audit their environments to identify all instances of libtpms usage, particularly in virtualized or TPM-emulated systems integrated with OpenSSL 3.x. Implement strict access controls and monitoring to limit local privilege escalation opportunities, as exploitation requires local access. Review cryptographic configurations to ensure no legacy or weak cipher suites are in use that could compound the risk. Conduct thorough testing post-patching to verify that TPM-related cryptographic operations function correctly. Finally, maintain up-to-date asset inventories and vulnerability management processes to promptly address similar cryptographic issues in the future.