Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-6420

CVE-2026-6420: Keylime Privilege Escalation Vulnerability

CVE-2026-6420 is a privilege escalation vulnerability in Keylime that allows attackers with root access to replay TPM quotes and evade detection. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-6420 Overview

CVE-2026-6420 is a cryptographic flaw in Keylime, a remote boot attestation and runtime integrity measurement framework. The Keylime verifier uses a hardcoded challenge nonce when requesting Trusted Platform Module (TPM) quote attestations from the agent. Because the nonce is not cryptographically random, an attacker with root access on an enrolled monitored machine can collect valid TPM quotes in advance and replay them after compromising the system. The replay allows the attacker to evade integrity detection. The issue affects only the push model deployment of Keylime and is tracked under [CWE-1241] (Use of Predictable Algorithm in Random Number Generator).

Critical Impact

A local attacker with root privileges on a monitored host can replay pre-recorded TPM quotes to defeat Keylime runtime attestation in push-mode deployments.

Affected Products

  • Keylime (push model deployment)
  • Red Hat distributions packaging the affected Keylime verifier
  • Systems using Keylime push-mode TPM attestation

Discovery Timeline

  • 2026-05-06 - CVE CVE-2026-6420 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-6420

Vulnerability Analysis

Keylime performs continuous runtime attestation by asking each agent to produce a TPM quote. A quote is a TPM-signed structure that binds Platform Configuration Register (PCR) values to a verifier-supplied nonce. The nonce exists specifically to guarantee freshness and prevent replay. In the affected push-mode code path, the verifier supplies the same hardcoded nonce on every challenge instead of generating a fresh cryptographically random value. The TPM signs whatever nonce it receives, so quotes built with the static nonce remain indefinitely valid from the verifier's perspective.

An attacker who obtains root on an enrolled host can request quotes through the local TPM while the system is still in a known-good state. After tampering with the system, the attacker stops the legitimate agent and replays the cached quotes when the verifier polls. The verifier accepts them because signature, PCR digest, and nonce all match expected values. Detection of unauthorized changes to measured boot or Integrity Measurement Architecture (IMA) state is bypassed.

Root Cause

The root cause is the use of a predictable, hardcoded value where a fresh random nonce is required by the TPM attestation protocol. This violates the freshness assumption that makes quote-based remote attestation meaningful and falls under [CWE-1241].

Attack Vector

Exploitation requires local root access on the monitored machine running the Keylime agent. The attacker collects valid quotes before tampering, then serves them back to the verifier after compromise. No network-side privileges or verifier compromise are needed. Exploitation is limited to deployments using the push model.

// No verified exploit code is published. Conceptually:
// 1. Attacker (root) requests TPM quotes using the known hardcoded nonce while host is clean.
// 2. Attacker stores the signed quotes locally.
// 3. Attacker modifies system files / kernel modules tracked by IMA.
// 4. Attacker intercepts verifier polls and replies with the stored quotes.
// 5. Verifier validates signature + nonce + PCRs and reports the host as healthy.

Detection Methods for CVE-2026-6420

Indicators of Compromise

  • Repeated identical TPM quote payloads returned by an agent across multiple verifier polling cycles.
  • Keylime agent process restarts, unexpected listener bindings, or unusual local TPM access patterns on monitored hosts.
  • Divergence between Keylime-reported PCR or IMA state and out-of-band measurements collected from the same host.

Detection Strategies

  • Compare TPM quote nonces and timestamps observed by the verifier across sessions to flag static or repeating nonces.
  • Correlate Keylime attestation results with host telemetry such as package changes, kernel module loads, and IMA log entries to surface unexplained mismatches.
  • Audit Keylime verifier logs for agents that consistently return byte-identical quote structures.

Monitoring Recommendations

  • Centralize Keylime verifier logs and TPM event logs into the security data lake for long-term retention and correlation.
  • Alert on root-level access and process executions that interact with /dev/tpm0, /dev/tpmrm0, or the Keylime agent socket on enrolled hosts.
  • Monitor for unauthorized changes to Keylime configuration files and to the agent binary itself.

How to Mitigate CVE-2026-6420

Immediate Actions Required

  • Inventory all Keylime deployments and identify which use the push model, since only those are affected.
  • Apply vendor-supplied Keylime updates that replace the hardcoded nonce with a cryptographically random value generated per attestation.
  • Restrict and monitor root access on enrolled monitored machines, treating root compromise as a precondition for this attack.

Patch Information

Refer to the Red Hat CVE Announcement and the Red Hat Bug Report #2458889 for fixed package versions and distribution-specific advisories. Upgrade Keylime verifier and agent components together to ensure protocol compatibility once nonces are randomized.

Workarounds

  • Switch attestation to the pull model where feasible until the patched verifier is deployed.
  • Reduce verifier polling intervals and combine Keylime attestation with independent host integrity controls so a single replayed quote is not authoritative.
  • Enforce least privilege on monitored machines and require multi-party approval for granting root, reducing the population of accounts able to harvest quotes.
bash
# Verify installed Keylime version on Red Hat-based systems
rpm -q keylime keylime-agent keylime-verifier

# Apply vendor updates once patched packages are released
sudo dnf update keylime keylime-agent keylime-verifier

# Restart services after upgrade
sudo systemctl restart keylime_verifier keylime_agent

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne