CVE-2025-11568
4.4 MEDIUMA data corruption vulnerability has been identified in the luksmeta utility when used with the LUKS1 disk encryption format
Published: 2025-10-15 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 4.4 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
- CWE
- CWE-1284
Description
A data corruption vulnerability has been identified in the luksmeta utility when used with the LUKS1 disk encryption format. An attacker with the necessary permissions can exploit this flaw by writing a large amount of metadata to an encrypted device. The utility fails to correctly validate the available space, causing the metadata to overwrite and corrupt the user's encrypted data. This action leads to a permanent loss of the stored information. Devices using the LUKS formats other than LUKS1 are not affected by this issue.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-11568
- [Other]https://access.redhat.com/errata/RHSA-2025:23086
- [Other]https://access.redhat.com/errata/RHSA-2026:18421
- [Other]https://access.redhat.com/errata/RHSA-2026:18824
- [Other]https://access.redhat.com/security/cve/CVE-2025-11568
- [Other]https://bugzilla.redhat.com/show_bug.cgi?id=2404244
- [Other]https://github.com/latchset/luksmeta/pull/16
Related CVEs
Same CWE
- CVE-2026-49110 — Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions (7.5 HIGH)
- CVE-2026-49078 — Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions (7.5 HIGH)
- CVE-2026-45441 — Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions (7.5 HIGH)
- CVE-2026-42657 — Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions (5.3 MEDIUM)
- CVE-2026-12059 — The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers ... (8.8 HIGH)