LUKS Key Exposure in IncusOS Due to Insecure TPM Configuration
CVE-2026-32606

7.7HIGH

Key Information:

Vendor

Lxc

Status
Incus-os
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32606?

A flaw in the default configuration of systemd-cryptenroll in IncusOS allows attackers with physical access to the machine to access encrypted data without user interaction. This issue arises because the LUKS key is released by the Trusted Platform Module (TPM) under certain conditions that an attacker can exploit. By replacing the original encrypted root partition with one they control, attackers can manipulate the boot process to retrieve sensitive LUKS keys. Updating to the corrected version (202603142010) is crucial, as it introduces new PCR15 logic to mitigate this risk by ensuring the LUKS keys are re-bound to the appropriate TPM registers.

Affected Version(s)

incus-os < 202603142010

References

https://github.com/lxc/incus-os/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/lxc/incus-os/pull/954
x_refsource_MISC
https://github.com/lxc/incus-os/commit/e3b35f230d23443d27...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.