CVE-2026-32606

Name of the Vulnerable Software and Affected Versions IncusOS versions prior to 202603142010

Description The default configuration of systemd-cryptenroll, as used by IncusOS through mkosi, allows an attacker with physical access to the machine to access encrypted data without requiring interaction from the system owner or tampering with Secure Boot or the kernel image. This is due to the LUKS key being available from the TPM if the PCR7 value is expected and the PCR11 policy matches, allowing the key to be released to the booted system. An attacker can substitute the original encrypted root partition with one they control, prompting for a recovery key which they have defined. A systemd unit within the attacker's root partition can then retrieve the encryption key of the real root disk, enabling data theft or alteration before returning the system to its original state. The attack is possible even with Secure Boot enabled, as the initrd selects the root disk based on GPT partition identifiers. The issue impacts all IncusOS users, particularly those in unsecured physical environments. The attack involves altering the GPT partition table, creating a new LUKS encrypted partition, and using a systemd unit to extract the key.

Recommendations Update to IncusOS version 202603142010 or later to include the new PCR15 logic and automatically update the TPM policy on boot. If physical access is suspected, perform a full system wipe and reinstallation to rotate the LUKS volume key.