PT-2026-6361 — Github.Com/Lf-Edge/Eve

PT-2026-6361 · Go · Github.Com/Lf-Edge/Eve

Published

2026-02-04

Updated

2026-02-04

CVSS v3.1

6.7

Medium

Vector

AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Impact

The vault key is sealed using SHA1 PCRs instead of SHA256 PCRs

Thus an attacker with physical access to an EVE-OS device can try to brute force creating a kernel or rootfs image which produces the same SHA1 PCR but with malicious content.

Patches

Fixed in 9.4.3-lts and 10.1.0

Workarounds

None

Fix

Insufficiently Protected Credentials

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-327CWE-328

Related Identifiers

GHSA-4JVR-VJ2C-8Q37

Affected Products