CVE-2026-32606

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32606

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32606.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32606

Aliases

Downstream

SUSE-SU-2026:1135-1

Related

SUSE-SU-2026:1135-1

Published

2026-03-18T05:14:05.304Z

Modified

2026-04-10T05:43:02.591130Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

IncusOS has a LUKS encryption bypass due to insufficient TPM policy

Details

IncusOS is an immutable OS image dedicated to running Incus. Prior to 202603142010, the default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physical access to the machine to access the encrypted data without requiring any interaction by the system's owner or any tampering of Secure Boot state or kernel (UKI) boot image. That's because in this configuration, the LUKS key is made available by the TPM so long as the system has the expected PCR7 value and the PCR11 policy matches. That default PCR11 policy importantly allows for the TPM to release the key to the booted system rather than just from the initrd part of the signed kernel image (UKI). The attack relies on the attacker being able to substitute the original encrypted root partition for one that they control. By doing so, the system will prompt for a recovery key on boot, which the attacker has defined and can provide, before booting the system using the attacker's root partition rather than the system's original one. The attacker only needs to put a systemd unit starting on system boot within their root partition to have the system run that logic on boot. That unit will then run in an environment where the TPM will allow for the retrieval of the encryption key of the real root disk, allowing the attacker to steal the LUKS volume key (immutable master key) and then use it against the real root disk, altering it or getting data out before putting the disk back the way it was and returning the system without a trace of this attack having happened. This is all possible because the system will have still booted with Secure Boot enabled, will have measured and ran the expected bootloader and kernel image (UKI). The initrd selects the root disk based on GPT partition identifiers making it possible to easily substitute the real root disk for an attacker controlled one. This doesn't lead to any change in the TPM state and therefore allows for retrieval of the LUKS key by the attacker through a boot time systemd unit on their alternative root partition. IncusOS version 202603142010 (2026/03/14 20:10 UTC) includes the new PCR15 logic and will automatically update the TPM policy on boot. Anyone suspecting that their system may have been physically accessed while shut down should perform a full system wipe and reinstallation as only that will rotate the LUKS volume key and prevent subsequent access to the encrypted data should the system have been previously compromised. There are no known workarounds other than updating to a version with corrected logic which will automatically rebind the LUKS keys to the new set of TPM registers and prevent this from being exploited.

Database specific

{
    "cwe_ids": [
        "CWE-522"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32606.json"
}

References

Affected packages

Git / github.com/lxc/incus-os

Affected ranges

Type: GIT
Repo: https://github.com/lxc/incus-os
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

29ca8be2d09f6e69e1e72d19de4cccb39f331075

Affected versions

Other

202412062204

202412062221

202412062230

202412062242

202412062356

202412070006

202412070015

202412070046

202412070052

202412070113

202412070348

202412071607

202412140418

202501142355

202501161827

202501282143

202501311418

202502232201

202503061818

202503202220

202504082128

202504082327

202504260538

202505010038

202505020023

202505020056

202505020409

202505020506

202505020559

202505021721

202505021829

202505021836

202505022001

202505022042

202505051944

202505052013

202505072232

202505080159

202505080349

202505091724

202505091926

202505092235

202505100225

202505100415

202505100518

202505110031

202505110348

202505211548

202505211841

202505211912

202505212131

202505222219

202505231749

202505240111

202506022053

202506040549

202506092256

202506162043

202506170021

202506170447

202506171656

202506171941

202506220351

202506271511

202507010114

202507031617

202507032049

202507091901

202507091938

202507091945

202507091952

202507100435

202507100550

202507111345

202507141453

202507141611

202507142106

202507230121

202507272140

202508010533

202508062057

202508080237

202508080239

202508082051

202508090051

202508092331

202508110338

202508121653

202508122004

202508130334

202508140038

202508140245

202508140307

202508140657

202508140743

202508141528

202508141733

202508151809

202508190047

202508190306

202508190543

202508240055

202508291654

202509041729

202509070643

202509090106

202509102114

202509120031

202509120559

202509181515

202509190020

202509220452

202509220643

202509232310

202509240033

202509240312

202509240638

202509241911

202509251655

202509260547

202509261633

202509261847

202509291907

202510022316

202510060233

202510080300

202510082023

202510090028

202510091628

202510102203

202510152116

202510160507

202510160732

202510170001

202510171704

202510172000

202510172028

202510172129

202510230320

202510231642

202510232320

202510240220

202510272025

202510280048

202510290144

202510301857

202511012356

202511040259

202511050158

202511070055

202511100256

202511150406

202511160431

202511172338

202511192021

202511201340

202511211734

202511212125

202511250739

202511261639

202511271034

202511280022

202511290835

202511291830

202511292320

202512022133

202512022259

202512060041

202512060242

202512080339

202512082037

202512100555

202512112135

202512131458

202512131701

202512140441

202512160412

202512161843

202512162204

202512171819

202512190524

202512191836

202512200343

202512210053

202512250102

202601021835

202601021903

202601060601

202601080126

202601090756

202601091704

202601092123

202601100100

202601141549

202601151552

202601152002

202601170328

202601172317

202601201524

202601201942

202601210123

202601211520

202601220024

202601220238

202601240726

202601260318

202602022347

202602030721

202602031522

202602031842

202602040632

202602041143

202602080334

202602090010

202602090555

202602091609

202602100206

202602110253

202602120557

202602160232

202602160543

202602170404

202602190315

202602200553

202602210315

202602210344

202602230420

202602240349

202602250341

202602250730

202602270316

202602281626

202603030349

202603050712

202603060011

202603080314

202603081756

202603120644

202603130128

202603140457

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32606.json"