CVE-2025-58356 is a vulnerability in edgelesssys Constellation, a Confidential Kubernetes platform that uses LUKS2-encrypted volumes for persistent storage. The Constellation CVM image relies on the libcryptsetup function crypt_activate_by_passphrase to open encrypted storage devices. However, cryptsetup versions prior to 2.8.1 do not properly handle the cipher_null-ecb algorithm in the keyslot encryption field of LUKS2 disks. This means that if an attacker configures a volume with this null cipher, cryptsetup may open the volume without error, even though it is not actually encrypted. Consequently, the system treats the volume as confidential while the data remains unencrypted and exposed. This improper verification of cryptographic signatures corresponds to CWE-347. The vulnerability compromises the confidentiality and integrity of data stored on these volumes. The issue is fixed in cryptsetup version 2.24.0. Exploitation requires local privileged access but no user interaction. No known exploits are currently in the wild. The vulnerability has a CVSS 4.0 score of 8.3, reflecting its high impact on confidentiality and integrity with relatively low attack complexity. This flaw undermines the core security guarantees of Confidential Kubernetes environments, potentially exposing sensitive workloads and data to unauthorized access.

For European organizations deploying edgelesssys Constellation with vulnerable cryptsetup versions, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive data stored on persistent volumes. Since Constellation is designed to provide confidential computing guarantees, the failure to properly verify encryption undermines trust in the platform's security. Attackers with local privileged access could exploit this flaw to access unencrypted data, leading to data breaches, intellectual property theft, or exposure of regulated information subject to GDPR. The impact is particularly critical for sectors handling sensitive data such as finance, healthcare, and government. Additionally, compromised confidentiality could facilitate further lateral movement or privilege escalation within Kubernetes clusters. The lack of user interaction required for exploitation and the high privileges needed limit the attack surface but do not eliminate risk, especially in multi-tenant or cloud environments where privileged access may be attainable. Overall, the vulnerability threatens the foundational security model of Confidential Kubernetes deployments in Europe.

1. Immediately upgrade cryptsetup to version 2.24.0 or later on all systems running edgelesssys Constellation to ensure proper handling of LUKS2 volumes and keyslot encryption algorithms. 2. Audit existing encrypted volumes to detect any that use the cipher_null-ecb algorithm or other insecure keyslot configurations and re-encrypt them with secure algorithms. 3. Implement strict cryptographic policy enforcement to reject LUKS2 volumes with null or insecure cipher algorithms during creation or mounting. 4. Restrict local privileged access to trusted administrators and enforce strong access controls and monitoring to reduce the risk of exploitation. 5. Regularly monitor and verify the integrity and encryption status of persistent storage volumes within Kubernetes clusters. 6. Incorporate cryptographic validation checks into CI/CD pipelines and infrastructure as code to prevent deployment of vulnerable configurations. 7. Stay informed on vendor patches and security advisories related to edgelesssys Constellation and cryptsetup components. 8. Consider additional runtime security controls such as container security platforms that can detect anomalous volume mounts or access patterns.