VSA-2025-004: Libtpms Vulnerability
| Published | Updated | Severity | CVSS 3.1 | Affected products |
|---|---|---|---|---|
| 2025-10-23 | 2025-10-23 | 🟢 Low | 5.9 | - XCP-ng 8.3 |
For Vates products, we classify the impact as Low, as our LTS products are no impacted, only the comportment of the virtual machine. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
The libtpms library has published a vulnerability that affects version 0.7.1. This theoretically allows a VM with the vTPM module enabled to crash its own TPM. For virtual machines without the vTPM module enabled, the impact is non-existent (default value).
Impact​
Production environments​
All machines with vTPM enabled are vulnerable.
Affected Versions​
- XCP-ng 8.3 LTS: Fixed.
Mitigation​
It is possible to disable vTPM as a preventative measure to avoid unexpected consequences.
Resolution​
As of 2025-10-23, the packages for these components have been updated in the official XCP-ng repositories. Users are strongly encouraged to update their systems as soon as possible.
List of packages fixing these issues:
- XCP-ng 8.3:
libtpms-0.9.6-3.xcpng8.3
Credits​
Thanks to the libtmps maintainers for fixing this vulnerability upstream and to XenServer for the package update.