CVE-2023-43634: EVE Doesn't Protect Config Partition with Measured Boot

February 4, 2026

Config partition measurement was moved from PCR 13 to PCR 14 in a commit, but PCR 14 was not added to the list of PCRs that seal/unseal the vault key. As a result, an attacker can remove the disk, use another server to modify the files in the config partition, and then re-insert the disk.

References

asrg.io/security-advisories/config-partition-not-protected-by-measured-boot
asrg.io/security-advisories/cve-2023-43634
github.com/advisories/GHSA-wc42-fcjp-v8vq
github.com/lf-edge/eve
github.com/lf-edge/eve/security/advisories/GHSA-wc42-fcjp-v8vq
nvd.nist.gov/vuln/detail/CVE-2023-43634

Code Behaviors & Features

Detect and mitigate CVE-2023-43634 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →