Certain function pointers in Trusted Boot through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module by hooking these function pointers.