CVE-2025-58356

Name of the Vulnerable Software and Affected Versions Constellation versions prior to 2.24.0

Description Constellation is a Confidential Kubernetes platform that utilizes LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the system employs the crypt activate by passhrase function from the libcryptsetup library. A weakness exists in handling null keyslot algorithms within cryptsetup versions prior to 2.8.1, potentially allowing a volume to appear encrypted when it is not. Specifically, cryptsetup versions before 2.8.1 do not signal an error when encountering LUKS2 disks employing the cipher null-ecb algorithm in the keyslot encryption field. A malicious host could provide a crafted LUKS2 volume to a confidential computing guest, leading to secret data being written with a volume key known to the attacker, or pre-loaded data compromising guest execution. The LUKS2 volume metadata lacks authentication, enabling an attacker to create a volume that opens without error, records writes in plaintext (or with an attacker-known key), and contains arbitrary data. This issue arises because the keyslot encryption algorithm can be set to crypto null-ecb, bypassing the need for enclave-held secret data during decryption.

Recommendations Upgrade to Constellation version 2.24.0 or later.