GHSA-f5p4-p5q5-jv3h: 
vulnerability analysis and mitigation

A vulnerability (GHSA-f5p4-p5q5-jv3h) was discovered in Contrast's LUKS2 persistent storage implementation affecting versions <=v1.12.0. The vulnerability allows a malicious host to provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature, potentially exposing confidential data. The issue was discovered and disclosed in October 2025, affecting the Contrast software's cryptsetup functionality (GitHub Advisory).

The vulnerability stems from unsafe handling of null keyslot algorithms in cryptsetup 2.8.1. The LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, which allows an attacker to create a volume that opens without error using any passphrase or token. The vulnerability has a CVSS score of 5.7 (Moderate) with a vector of CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating adjacent network attack vector, low attack complexity, and high confidentiality impact (GitHub Advisory).

When exploited, the vulnerability allows an attacker to read confidential data that was written to the persistent volume that should have been protected by encryption. The integrity impact wasn't considered as Contrast's persistent volumes weren't integrity protected. The vulnerability specifically affects the secure persistent volume feature of Contrast pods (GitHub Advisory).

A partial fix was implemented in cryptsetup version 2.8.1, which disables null ciphers in keyslots when the user passphrase is nonempty. This was shipped in Contrast version v1.12.1. A more comprehensive fix was implemented in Contrast v1.13.0, which includes detached header mode for LUKS disks where the header resides in a tmpfs file inside guest RAM and is verified before use. Additionally, integrity protection for secure persistent storage was added as a new feature in v1.13.0 (GitHub Advisory).