GHSA-4jvr-vj2c-8q37

Suggest an improvement
Source
https://github.com/advisories/GHSA-4jvr-vj2c-8q37
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4jvr-vj2c-8q37/GHSA-4jvr-vj2c-8q37.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4jvr-vj2c-8q37
Aliases
Published
2026-02-04T23:12:29Z
Modified
2026-02-19T20:41:22.297357Z
Severity
  • 6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
EVE Seals Vault Key With SHA1 PCRs
Details

Impact

The vault key is sealed using SHA1 PCRs instead of SHA256 PCRs

Thus an attacker with physical access to an EVE-OS device can try to brute force creating a kernel or rootfs image which produces the same SHA1 PCR but with malicious content.

Patches

Fixed in 9.4.3-lts and 10.1.0

Workarounds

None

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-327",
        "CWE-328",
        "CWE-522"
    ],
    "github_reviewed_at": "2026-02-04T23:12:29Z"
}
References

Affected packages

Go / github.com/lf-edge/eve

Package

Name
github.com/lf-edge/eve
View open source insights on deps.dev
Purl
pkg:golang/github.com/lf-edge/eve

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20230519072751-977f42b07fa9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4jvr-vj2c-8q37/GHSA-4jvr-vj2c-8q37.json"