Skip to main content

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

GHSA-g7vp-j25f-h34p | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceGHSA-g7vp-j25f-h34p

GHSA-g7vp-j25f-h34p

MEDIUM6.7

EVE Has Partially Predetermined Vault Key

Published Feb 4, 2026

Modified 1 months ago

Fix available

Details

Impact

The deriveVaultKey function calls retrieveCloudKey which always returns "foobarfoobarfoobarfoobarfoobarfo". When merged with the randomly generated 32-byte key using mergeKeys (16 bytes from each), the last 16 bytes are always "arfoobarfoobarfo". This enables an attacker with physical access to the EVE-OS device to attempt to brute force the remaining 128 bits of key.

Patches

Fixed in 7.10 and 8.12.1-lts

Workarounds

None

Affected Packages

github.com/lf-edge/eve

Go

Fixed in:

0.0.0-20220310190112-c0c966dc31e2

References

https://asrg.io/security-advisories/cve-2023-43637

https://asrg.io/security-advisories/vault-key-partially-predetermined

https://github.com/advisories/GHSA-g7vp-j25f-h34p

https://github.com/lf-edge/eve

https://github.com/lf-edge/eve/commit/c0c966dc31e2ed9aafc155e6be646adb14756c01

https://github.com/lf-edge/eve/security/advisories/GHSA-g7vp-j25f-h34p

https://nvd.nist.gov/vuln/detail/CVE-2023-43637

Aliases

CVSS Analysis

CVSS v3.1

6.7

Exploitability

Attack Vector

PhysicalAV:P

Attack Complexity

HighAC:H

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

NoneA:N

6.7/CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Related

Ecosystems

Timeline

PublishedFeb 4, 2026

ModifiedFeb 4, 2026