At the moment it's just a DDOS that can be fixed with a reset as correctly noted in Lenovo report https://support.lenovo.com/us/en/product_security/LEN-118320, but the interesting thing is that google published a fix documenting the issue before the embargo release, therefore leaking out the info about 3.5 month ago:
2022-12-16 Quarkslab asked Google for an update and answers to the questions sent previously on Dec. 5th and 12th. Also notified Google that it found out that a fix for the vulns we reported was committed to the Chromium OS TPM2 code on December 1st, and that since the repository is publicly visible, Quarkslab considered knowledge about the existence of the bugs to be public now. Asked Google for their plan to roll out these fixes to supported devices.
Isn't the primary (entire?) purpose of the embargo timeline to permit vendors time to develop, test, prepare, and rollout patches to prevent exploiting the vulnerability and to do so before the public disclosure of it?
I don't know if I'm missing some detail here (like perhaps there are two embargo timelines, one for code shortly before another for full release), but at a first read this seems like it's exactly what the Chromium developers should do.
2023-01-05 Google followed up indicating that while they consider the code changes to be public, they do not consider them to break embargo per discussion with CERT and TCG. Also that they cannot provide an answer to the question about their plan to roll out fixes to their devices.
2022-12-16 Quarkslab asked Google for an update and answers to the questions sent previously on Dec. 5th and 12th. Also notified Google that it found out that a fix for the vulns we reported was committed to the Chromium OS TPM2 code on December 1st, and that since the repository is publicly visible, Quarkslab considered knowledge about the existence of the bugs to be public now. Asked Google for their plan to roll out these fixes to supported devices.