CVE-2025-58356 is a vulnerability categorized under CWE-347 (Improper Verification of Cryptographic Signature) that affects the edgelesssys Constellation product, a Confidential Kubernetes platform. Constellation uses LUKS2-encrypted volumes for persistent storage, relying on the cryptsetup library to open encrypted partitions securely. The vulnerability arises from cryptsetup versions prior to 2.24.0, specifically version 2.8.1, which improperly handles the cipher_null-ecb algorithm in the keyslot encryption field of LUKS2 disks. When cryptsetup processes a LUKS2 volume encrypted with the null cipher, it fails to report an error and treats the volume as encrypted, even though it is effectively unencrypted. This flaw allows a malicious actor with high privileges on the Constellation Confidential VM to open and access data on a volume that is not actually encrypted, thereby violating confidentiality guarantees. The attack vector requires local access with high privileges but does not require user interaction or authentication beyond that privilege level. The vulnerability has a CVSS 4.0 score of 8.3, reflecting its high severity due to the potential for significant confidentiality impact and the ease of exploitation once high privileges are obtained. No known exploits have been reported in the wild, but the flaw undermines the core security premise of Confidential Kubernetes environments that rely on encryption for data protection. The issue is fixed in cryptsetup version 2.24.0 and later, which correctly rejects LUKS2 volumes using the null cipher in keyslots.

For European organizations deploying edgelesssys Constellation as part of their confidential computing and Kubernetes orchestration infrastructure, this vulnerability poses a serious risk to data confidentiality. If exploited, attackers with high privilege access on the Confidential VM could bypass encryption protections and access sensitive data stored on supposedly encrypted persistent volumes. This undermines trust in the confidentiality guarantees of the platform and could lead to data breaches involving intellectual property, personal data, or regulated information. The impact is particularly critical for sectors with strict data protection requirements such as finance, healthcare, and government. Additionally, the breach of encrypted storage could facilitate further lateral movement or privilege escalation within affected environments. Although exploitation requires local high privilege access, the vulnerability expands the attack surface by allowing attackers to circumvent encryption controls once inside. The absence of known exploits suggests limited immediate risk, but the high severity score and fundamental nature of the flaw warrant urgent remediation in European deployments.

European organizations using edgelesssys Constellation should immediately upgrade cryptsetup to version 2.24.0 or later to ensure proper handling of LUKS2 volumes and prevent acceptance of null cipher encrypted keyslots. It is critical to audit existing encrypted volumes to verify that none use the cipher_null-ecb algorithm, as these volumes are effectively unencrypted and vulnerable. Implement strict access controls and monitoring to limit high privilege access on Confidential VMs, reducing the risk of exploitation. Employ runtime integrity checks and cryptographic verification of storage volumes to detect anomalies or misconfigurations. Consider deploying additional encryption layers or hardware-based security modules to complement software encryption. Regularly review and update cryptographic libraries and dependencies to incorporate security patches promptly. Finally, conduct security awareness training for administrators managing confidential Kubernetes environments to recognize and mitigate risks related to encryption handling.