CVE-2026-6420 Red Hat CVE debrief

Who should care

Security teams responsible for Keylime deployments, particularly those using the push model, should be aware of this vulnerability. An attacker with root access on an enrolled monitored machine could exploit this flaw to evade detection. Therefore, defenders should assess their exposure and take necessary actions to mitigate this risk.

Technical summary

The Keylime verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows an attacker with root access on an enrolled monitored machine to stockpile valid TPM quotes and replay them to evade detection after compromising the system. The vulnerability affects only the push model deployment of Keylime. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L.

Defensive priority

Defenders should prioritize patching or mitigating this vulnerability in Keylime deployments, especially in environments where an attacker gaining root access is a concern. Given the medium severity and potential for exploitation, timely action is recommended.

Recommended defensive actions

• Assess Keylime deployment configurations and identify instances using the push model.
• Verify if the affected Keylime verifier is in use and prioritize patching.
• Implement compensating controls to monitor for suspicious TPM quote activity.
• Review and update incident response plans to account for potential exploitation.
• Consider enhancing monitoring and logging for Keylime verifier interactions.

Evidence notes

The CVE-2026-6420 record was obtained from the National Vulnerability Database (NVD) and provides details on the Keylime verifier vulnerability. The vulnerability allows an attacker with root access to exploit the hardcoded challenge nonce in TPM quote attestation. The CVSS score and vector provide additional context on the severity and characteristics of the vulnerability.

Official resources