We're spilling the TEE: an attack that extracts all data from 8 confidential computing systems by changing one field in LUKS2's metadata header 🧵 (CVE-2025-59054 and CVE-2025-58356)
LUKS2 stores its encryption config in a JSON header on the disk itself. An attacker with write access changes "aes-xts-plain64" to "cipher_null-ecb", which does nothing. The CVM boots as if the disk was still encrypted.
CVE-2025-59054 and CVE-2025-58356 affect LUKS2 disk encryption in confidential VMs from Oasis, Phala, Flashbots, Secret Network, Fortanix, Edgeless, and Cosmian. All 8 affected projects are now patched.
The fix: validate headers before use.
If you're building confidential computing systems and want to avoid similar footguns, contact us for a free one-hour office hours with our engineers:
2.98K
16
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.