Fergus-Dall

**Name of the Vulnerable Software and Affected Versions** tpm2-tss versions (affected versions not specified) **Description** The issue is related to the `Tss2 RC SetHandler` and `Tss2 RC Decode` functions in the tpm2-tss implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). These functions index into the `layer handler` array with an 8-bit layer number, but the array only has `TPM2 ERROR TSS2 RC LAYER COUNT` entries. This can cause a buffer overrun when trying to add a handler for higher-numbered layers or decode a response code with such a layer number, potentially resulting in arbitrary code execution. An example attack could be a Man-in-the-Middle (MiTM) bus attack that returns 0xFFFFFFFF for the response code. The attacker must have local access to the target machine with local system privileges, which typically requires administrative privilege. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.