VDB
CVE-2026-32606
CVE-2026-32606
PUBLISHED
CVSS 7.699999809265137 HIGH
IncusOS has a LUKS encryption bypass due to insufficient TPM policy
EPSS 0.01% · 0.7th percentile
Risk Scores
CVSS 3.1
7.699999809265137
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.01%
0.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| lxc | incus-os | < 202603142010, *, < 202603142010 |
| github.com | lxc/incus-os/incus-osd | 0, 0, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-32606 (circl-sighting)
- CIRCL seen: CVE-2026-32606 (circl-sighting)
- https://github.com/lxc/incus-os/security/advisories/GHSA-wj2j-qwcf-cfcc (circl)
- https://github.com/lxc/incus-os/pull/954 (circl)
- https://github.com/lxc/incus-os/commit/e3b35f230d23443d27752eac27ebb2b22c957b75 (circl)
- https://discuss.linuxcontainers.org/t/potential-luks-encryption-bypass-through-filesystem-confusion/26348 (circl)
- https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock (circl)
Timeline
- Mar 16, 2026 CVE Published
- Mar 17, 2026 Security Advisory
- Mar 18, 2026 EPSS Score
- Mar 18, 2026 PoC Published
- Mar 18, 2026 PoC Published
- Mar 19, 2026 CVE Updated
- Mar 19, 2026 EPSS Score
- Mar 20, 2026 EPSS Score
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
References
- https://github.com/lxc/incus-os/security/advisories/GHSA-wj2j-qwcf-cfcc url
- https://github.com/lxc/incus-os/pull/954 url
- https://github.com/lxc/incus-os/commit/e3b35f230d23443d27752eac27ebb2b22c957b75 url
- https://discuss.linuxcontainers.org/t/potential-luks-encryption-bypass-through-filesystem-confusion/26348 url
- https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock url
- https://nvd.nist.gov/vuln/detail/CVE-2026-32606 advisory
- https://github.com/lxc/incus-os package