CVE-2025-1292: TPM2 Out-Of-Bounds Write Leading to Potential Operating System Verification Bypass in ChromeOS
First published: Tue Apr 15 2025(Updated: )
Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0.6261.132 stable on Cr50 Boards allows an attacker with root access to gain persistence and bypass operating system verification via exploiting the NV_Read functionality during the Challenge-Response process.
Credit: 7f6e188d-c52a-4a19-8674-3c3fa7d1fc7f
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google Chrome OS |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-1292?
CVE-2025-1292 is rated as a high severity vulnerability due to its potential to allow attackers with root access to gain persistence.
How do I fix CVE-2025-1292?
To fix CVE-2025-1292, update Google ChromeOS to the latest version that addresses this vulnerability.
What systems are affected by CVE-2025-1292?
CVE-2025-1292 affects Google ChromeOS version 122.0.6261.132 on Cr50 Boards.
What type of attack is possible with CVE-2025-1292?
CVE-2025-1292 allows an attacker to exploit the NV_Read functionality during the Challenge-Response process.
Can CVE-2025-1292 lead to bypassing security measures?
Yes, CVE-2025-1292 can allow attackers to bypass operating system verification.
- collector/mitre-cve
- source/MITRE
- agent/description
- agent/title
- agent/references
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/author
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/event
- vendor/google
- canonical/google chrome os