CVE-2023-0751

CVE-2023-0751: GELI silently omits the keyfile if read from stdin

Vendor Freebsd

Product FreeBSD

Weakness CWE-20 · Input validation

Published February 8, 2023

Last update March 25, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key.

Key dates

02Disclosure timeline

February 8, 2023 CVE published

March 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-0751 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2023-0751

CWE CWE-20

Affected versions

Vendor Freebsd

Product FreeBSD

Affected ≥ 13.1-RELEASE and < 13.1-RELEASE-p6

Vendor Freebsd

Product FreeBSD

Affected ≥ 12.4-RELEASE and < 12.4-RELEASE-p1

Vendor Freebsd

Product FreeBSD

Affected ≥ 12.3-RELEASE and < 12.3-RELEASE-p11

CVE-2023-0751: GELI silently omits the keyfile if read from stdin

01Description

02Disclosure timeline

03References

04Related CVE