CVE-2025-58356
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-11-28

Assigner: GitHub, Inc.

Description
Constellation is the first Confidential Kubernetes. The Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the libcryptsetup function crypt_activate_by_passhrase. If the VM is successful in opening the partition with the disk encryption key, it treats the volume as confidential. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all. Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field. This vulnerability is fixed in 2.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-11-28
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58356
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
edgelesssys constellation 2.24.0
cryptsetup cryptsetup *
cryptsetup cryptsetup 2.8.1
edgelesssys constellation *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Constellation Confidential Kubernetes system, which uses LUKS2-encrypted volumes for persistent storage. The issue arises from the libcryptsetup function crypt_activate_by_passphrase used to open encrypted storage devices. Due to unsafe handling of null keyslot algorithms in cryptsetup version 2.8.1, it is possible that a volume believed to be encrypted is actually not encrypted at all. Specifically, cryptsetup versions prior to 2.8.1 do not report errors when processing LUKS2 disks using the cipher_null-ecb algorithm in the keyslot encryption field, potentially exposing unencrypted data.

Impact Analysis

This vulnerability can lead to a false sense of security where storage volumes are treated as confidential and encrypted, but in reality, they may not be encrypted at all. This can result in unauthorized access to sensitive data stored on these volumes, compromising data confidentiality and potentially leading to data breaches.

Mitigation Strategies

To mitigate this vulnerability, upgrade cryptsetup to version 2.24.0 or later, as the issue with unsafe handling of null keyslot algorithms in cryptsetup 2.8.1 is fixed in that version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58356. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart