CVE-2025-58356
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-11-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| edgelesssys | constellation | 2.24.0 |
| cryptsetup | cryptsetup | * |
| cryptsetup | cryptsetup | 2.8.1 |
| edgelesssys | constellation | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Constellation Confidential Kubernetes system, which uses LUKS2-encrypted volumes for persistent storage. The issue arises from the libcryptsetup function crypt_activate_by_passphrase used to open encrypted storage devices. Due to unsafe handling of null keyslot algorithms in cryptsetup version 2.8.1, it is possible that a volume believed to be encrypted is actually not encrypted at all. Specifically, cryptsetup versions prior to 2.8.1 do not report errors when processing LUKS2 disks using the cipher_null-ecb algorithm in the keyslot encryption field, potentially exposing unencrypted data.
How can this vulnerability impact me? :
This vulnerability can lead to a false sense of security where storage volumes are treated as confidential and encrypted, but in reality, they may not be encrypted at all. This can result in unauthorized access to sensitive data stored on these volumes, compromising data confidentiality and potentially leading to data breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade cryptsetup to version 2.24.0 or later, as the issue with unsafe handling of null keyslot algorithms in cryptsetup 2.8.1 is fixed in that version.