CVE-2026-6420 MEDIUM

CVE-2026-6420: Keylime: keylime: security bypass due to hardcoded tpm quote nonce

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-1241
Published May 6, 2026
Last update May 6, 2026

CVSS base score

6.3/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 6, 2026 Record updated