CVE-2025-58356: Constellation has insecure LUKS2 persistent storage partitions which may be opened and used
A malicious host may provide a crafted LUKS2 volume to a confidential computing guest that is using the OpenCryptDevice feature. The guest will open the volume and write secret data using a volume key known to the attacker. The attacker can also pre-load data on the device, which could potentially compromise guest execution.
LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:
- Opens (cryptsetup open) without error using any passphrase or token
- Records all writes in plaintext (or ciphertext with an attacker-known key)
- Contains arbitrary data chosen by the attacker
References
- github.com/advisories/GHSA-hq76-6gh2-5g4q
- github.com/edgelesssys/constellation
- github.com/edgelesssys/constellation/commit/bb8d2c8a5c0a0a6510d2cc43055be21f4a3ab83c
- github.com/edgelesssys/constellation/pull/3927
- github.com/edgelesssys/constellation/releases/tag/v2.24.0
- github.com/edgelesssys/constellation/security/advisories/GHSA-hq76-6gh2-5g4q
- nvd.nist.gov/vuln/detail/CVE-2025-58356
Code Behaviors & Features
Detect and mitigate CVE-2025-58356 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →