CVE-2026-32606 in incus-os
Summary
by MITRE • 03/18/2026
IncusOS is an immutable OS image dedicated to running Incus. Prior to 202603142010, the default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physical access to the machine to access the encrypted data without requiring any interaction by the system's owner or any tampering of Secure Boot state or kernel (UKI) boot image. That's because in this configuration, the LUKS key is made available by the TPM so long as the system has the expected PCR7 value and the PCR11 policy matches. That default PCR11 policy importantly allows for the TPM to release the key to the booted system rather than just from the initrd part of the signed kernel image (UKI). The attack relies on the attacker being able to substitute the original encrypted root partition for one that they control. By doing so, the system will prompt for a recovery key on boot, which the attacker has defined and can provide, before booting the system using the attacker's root partition rather than the system's original one. The attacker only needs to put a systemd unit starting on system boot within their root partition to have the system run that logic on boot. That unit will then run in an environment where the TPM will allow for the retrieval of the encryption key of the real root disk, allowing the attacker to steal the LUKS volume key (immutable master key) and then use it against the real root disk, altering it or getting data out before putting the disk back the way it was and returning the system without a trace of this attack having happened. This is all possible because the system will have still booted with Secure Boot enabled, will have measured and ran the expected bootloader and kernel image (UKI). The initrd selects the root disk based on GPT partition identifiers making it possible to easily substitute the real root disk for an attacker controlled one. This doesn't lead to any change in the TPM state and therefore allows for retrieval of the LUKS key by the attacker through a boot time systemd unit on their alternative root partition. IncusOS version 202603142010 (2026/03/14 20:10 UTC) includes the new PCR15 logic and will automatically update the TPM policy on boot. Anyone suspecting that their system may have been physically accessed while shut down should perform a full system wipe and reinstallation as only that will rotate the LUKS volume key and prevent subsequent access to the encrypted data should the system have been previously compromised. There are no known workarounds other than updating to a version with corrected logic which will automatically rebind the LUKS keys to the new set of TPM registers and prevent this from being exploited.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability described in CVE-2026-32606 affects IncusOS, an immutable operating system designed specifically for running Incus containers. This flaw resides in the default configuration of systemd-cryptenroll as implemented through mkosi, creating a critical security weakness that allows physical attackers to access encrypted data without requiring any interaction from the system owner or tampering with Secure Boot mechanisms. The vulnerability stems from how the Trusted Platform Module (TPM) releases LUKS encryption keys under specific Platform Configuration Register (PCR) conditions, particularly the overly permissive PCR11 policy that enables key release during the boot process rather than restricting it to the initrd phase of the signed kernel image (UKI).
The technical implementation of this vulnerability exploits the system's reliance on GPT partition identifiers for root disk selection, making it straightforward for attackers to substitute the legitimate encrypted root partition with one they control. When the system boots with the attacker's partition, it prompts for a recovery key that the attacker has pre-defined and can provide, effectively allowing the attacker to boot using their own root partition instead of the original system partition. This substitution mechanism bypasses traditional security measures because the system still appears to boot with Secure Boot enabled, and the expected bootloader and kernel image measurements are preserved, maintaining the appearance of system integrity.
The operational impact of this vulnerability is severe as it enables attackers to execute arbitrary code through systemd units placed within their controlled root partition, operating in an environment where the TPM permits encryption key retrieval from the real root disk. This allows attackers to steal the LUKS volume key (the immutable master key) and subsequently access, modify, or exfiltrate data from the actual encrypted volume before restoring the original disk state. The attack remains undetectable because it doesn't alter the TPM state and occurs entirely during the boot process, making it particularly dangerous for systems that rely on physical security measures.
This vulnerability aligns with CWE-310 (Cryptographic Issues) and represents a specific implementation flaw in the TPM-based key management system. It also maps to ATT&CK technique T1490 (Inhibit System Recovery) and T1566 (Phishing) as it enables unauthorized access to encrypted data through physical compromise rather than network-based attacks. The attack vector specifically targets the boot process and TPM policy enforcement, making it particularly challenging to detect through conventional security monitoring approaches that focus on runtime behavior rather than boot-time integrity verification. The fix implemented in IncusOS version 202603142010 addresses this by introducing new PCR15 logic that automatically updates the TPM policy on boot, effectively re-binding LUKS keys to a new set of TPM registers and preventing exploitation of the vulnerability.
The mitigation strategy requires immediate system updates to versions containing the corrected TPM policy logic, as no workarounds exist for systems already compromised. Organizations should perform full system wipes and reinstallation procedures for any systems suspected of having been physically accessed while powered off, as this is the only method to rotate the LUKS volume key and prevent subsequent unauthorized access to encrypted data. This vulnerability demonstrates the critical importance of proper TPM policy configuration and the potential for physical access attacks to bypass traditional security controls, particularly in immutable operating system implementations where the security model relies heavily on boot-time integrity verification and trusted execution environments.