CVE-2023-1017: TPM2.0 vulnerable to out-of-bounds write
A out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.
Other sources
An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.
— MITRE
CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability
Affected Software
Event History
Frequently Asked Questions
What is CVE-2023-1017?
CVE-2023-1017 is a TPM2.0 Module Library Elevation of Privilege Vulnerability.
What is the severity of CVE-2023-1017?
CVE-2023-1017 has a severity rating of 8.8 (Critical).
Which software products are affected by CVE-2023-1017?
Windows 11 (version 22H2), Windows 11 (version 21H2), Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows 10 (versions 20H2, 22H2, 21H2, and 1607) are affected by CVE-2023-1017.
How can I fix CVE-2023-1017 on Windows 11?
To fix CVE-2023-1017 on Windows 11, install the appropriate patches: KB5023706 (for version 22H2) or KB5023698 (for version 21H2).
Where can I find more information about CVE-2023-1017?
You can find more information about CVE-2023-1017 on the Microsoft Security Response Center (MSRC) website: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1017