CVE-2023-43635: EVE Seals Vault Key With SHA1 PCRs

February 4, 2026

The vault key is sealed using SHA1 PCRs instead of SHA256 PCRs

Thus an attacker with physical access to an EVE-OS device can try to brute force creating a kernel or rootfs image which produces the same SHA1 PCR but with malicious content.

References

asrg.io/security-advisories/cve-2023-43635
asrg.io/security-advisories/vault-key-sealed-with-sha1-pcrs
github.com/advisories/GHSA-4jvr-vj2c-8q37
github.com/lf-edge/eve
github.com/lf-edge/eve/security/advisories/GHSA-4jvr-vj2c-8q37
nvd.nist.gov/vuln/detail/CVE-2023-43635

Code Behaviors & Features

Detect and mitigate CVE-2023-43635 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →