PT-2026-6495 — Github.Com/Lf-Edge/Eve

PT-2026-6495 · Go · Github.Com/Lf-Edge/Eve

Published

2026-02-04

Updated

2026-02-04

CVSS v3.1

5.9

Medium

Vector

AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Impact

Config partition measurement was moved from PCR 13 to PCR 14 in a commit, but PCR 14 was not added to the list of PCRs that seal/unseal the vault key. As a result, an attacker can remove the disk, use another server to modify the files in the config partition, and then re-insert the disk.

Patches

Fixed in EVE version 9.4.3-lts

Workarounds

None (apart from preventing physical access to the device)

Resources

https://help.zededa.com/hc/en-us/articles/43295940828827-TPM-PCR-Index-Security-Implications https://github.com/lf-edge/eve/commit/d9383a7ee4e1c39f5c8c6d4a63cb2ebd00695e8a

Fix

Insufficiently Protected Credentials

Insecure Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-922

Related Identifiers

GHSA-WC42-FCJP-V8VQ

Affected Products

Github.Com/Lf-Edge/Eve