{"id":"CVE-2021-4122","details":"It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.","modified":"2026-04-16T04:38:29.368724565Z","published":"2022-08-24T16:15:09.427Z","related":["ALSA-2022:0370","SUSE-SU-2022:0144-1","openSUSE-SU-2022:0144-1","openSUSE-SU-2024:11754-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2021-4122"},{"type":"ADVISORY","url":"https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2031859"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2032401"},{"type":"FIX","url":"https://gitlab.com/cryptsetup/cryptsetup/-/commit/0113ac2d889c5322659ad0596d4cfc6da53e356c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/cryptsetup/cryptsetup","events":[{"introduced":"0"},{"fixed":"1fae09d6077183dbddc79f914ab9cf65eb4a9ced"},{"introduced":"0f8e7f317f9b2daa4c4f8ef10e2dae8fcac9479b"},{"fixed":"c67861e875896399120c690b65bd8a5312290da1"},{"fixed":"0113ac2d889c5322659ad0596d4cfc6da53e356c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.7"},{"introduced":"2.4.0"},{"fixed":"2.4.3"}]}}],"versions":["v1_4_2","v1_5_0","v1_5_1","v1_6_0","v1_6_1","v1_6_2","v1_6_3","v1_6_4","v1_6_5","v1_6_6","v1_6_7","v1_6_8","v1_7_0","v2.0.0","v2.0.0-rc0","v2.0.0-rc1","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.2.0","v2.2.0-rc0","v2.2.0-rc1","v2.2.1","v2.2.2","v2.3.0","v2.3.0-rc0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.5-rc0","v2.3.6","v2.4.0","v2.4.1","v2.4.2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T18:45:25Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-4122.json","vanir_signatures":[{"signature_version":"v1","signature_type":"Function","id":"CVE-2021-4122-0f056aff","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"length":3782,"function_hash":"280583083633981402384101864126374883680"},"target":{"function":"reencrypt_load_by_passphrase","file":"lib/luks2/luks2_reencrypt.c"},"deprecated":false},{"signature_type":"Line","deprecated":false,"id":"CVE-2021-4122-13d02013","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"threshold":0.9,"line_hashes":["30232732537702908620677538415576625375","226899050737051827622489035532079516619","100301087747651152887678366955260905774","57069836659847097420184984622378406442","210315452777968003498475117483492970601","227294705111980599500935209209943982409","200647087148236740910778222814870820020","140203482773118558925957559736377562599","18002782061390375986255561766876481027","260812771520799075124363380318066993705","218166068297067935076386151905800559168","118277577782542416065440840350793174150","275340091365753888434691927761624808196","310656081205261081706598108968462133693","163546931062024968240777094730349747782","302238744662940970017380643143856951981","117549415332556271945313515980993273562"]},"target":{"file":"lib/luks2/luks2_keyslot.c"},"signature_version":"v1"},{"signature_version":"v1","signature_type":"Line","id":"CVE-2021-4122-1aec69d4","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"threshold":0.9,"line_hashes":["229533184189874078191172006230479060735"]},"target":{"file":"lib/luks2/luks2.h"},"deprecated":false},{"signature_version":"v1","signature_type":"Line","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-1c2dcda9","target":{"file":"lib/setup.c"},"digest":{"threshold":0.9,"line_hashes":["193422928526178610764225453717526529612","214512679249377912395334810158705390911","220317002438241394263186426213134311883","149990553798582294795564610976754062031","268119641257374591487204144687626890584","14330040233253226749372236386912913178","250478416473510099015395475824018175738","97819853104061615585707364011302368115","331011034105796640554226602157144142551","264290276162489175592627040813641300641","339459831611179386131939680802407830998","311101136380418912257680092783593413841","168827795882406385871360871210303301617","178304735769795570661583445140603790233"]},"deprecated":false},{"signature_version":"v1","signature_type":"Line","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-2032cdf8","target":{"file":"lib/luks2/luks2_json_metadata.c"},"digest":{"threshold":0.9,"line_hashes":["46231182601655516708070233524663597104","224112608926874460703848349453319316839","69015847232423740255697676338408376007","71565915841268012553074374536314391764","2932236234913867506529309571899938879","72794739920782439681987912964766355678","220610300940532800719893618851750461144","208386126503759850334306752602861117302","2452011062293750757608770229415336389","125897401305169399477534967427910273097","206086674930141127671490116110976222330","256513106088107614534300493953783670567","240582498401731467886379040527740739236","67807997243773667552009519872304329769","6484786474746146437009504781423179688","338229448975320693436411836559721467342","167907276735872147490096511134961605326","279622137303362408545328426071723823289","139079920994186176936239401291802120020","206281310342728241671569256223971445480","264707406724182624205959543715081446555","283853479007839067829583826422275347145","31003390239268969887725516962069103729","197053700061263394999607216500117587336","2685959817068268713111875288876075501","137380995259966002695916896210514606408","144034676048507645286356888295034733443","292576617177303141900790694922046099014","29628646725186324436364678628344864748","198288831451435650184296917743436617282","45262532942989460106759826735410977512","88756571275279463889316371401537821193","19179392577822091441716626896560188680","129496653848828165009074667524864802594","27902600029846502209904589757289361220","212501139675784861884649321636854628620"]},"deprecated":false},{"signature_type":"Line","deprecated":false,"id":"CVE-2021-4122-297c2b35","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"threshold":0.9,"line_hashes":["222803837892361236638537830560287911263","75675767703528167153372063305403502109","132151590132488500572828585369276084554","51687430285729188219131027227097956189","154563649829051148024813527237967311796"]},"target":{"file":"lib/luks2/luks2_internal.h"},"signature_version":"v1"},{"signature_version":"v1","signature_type":"Function","id":"CVE-2021-4122-2da818e2","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"function_hash":"231111618382801146553965144778668319290","length":743},"target":{"function":"LUKS2_config_get_requirements","file":"lib/luks2/luks2_json_metadata.c"},"deprecated":false},{"signature_type":"Line","deprecated":false,"source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-3f72d29f","target":{"file":"lib/luks2/luks2_reencrypt.c"},"digest":{"threshold":0.9,"line_hashes":["71527949442570837539128099171364531890","17666226990284569091447256493543814176","155646402420083986891765801113063914304","159300226775464302333819137408095947715","312731325029142493700567391924042724604","327969385320937748105307126927199694636","39733110941925615081051429200512759466","106853615242888887688600213516842924749","142312346491990648660773858316149877637","179538203215466526497180160680816524552","326340642656970996288300374009757962319","75820690976999397549142353351043987318","226031482665490460195974167188027690014","162768110715370050897725434260927541179","16173526585455077635912307870069286250","166342706008813434051149274634293593916","43166420076411095938708194408988654898","18735156731369680467460087624018090307","30268764874110208689623942074872154227","14650516440128284934530120783848899539","281819847597721762022704080290676535101","211758513843354235281547022931341461544","98037720357914806106212350718507636050","259609377698501449082152356980494483484","39134733624135609536906175992246420997","220292094207418664256570556938194992176","81893458518733672939934044302493890098","34674460822913158497662977361669461876","334569256747025232403737565721226121491","308476368208708124954089619896910576711","229480047687454597629642774288074134256","128060274469555875941300287571820925010","108273001259023160111452662127337217574","257225612726141250498257043034492474458","207369334502162787292259248194023116615","225337477239938318092512696847063471231","240268363117548598694583663206840682139","175360371039478300745821723414195634275","148299451092371921587910108433738091137","293234896645820122893078975962676122940","120607951497944482535915401470695046926","24500187300963294506406053347578779775","120382343606477119430180789548071513465","124601925049855021241219928343722266093","79710592664835819722034568872925006341","18370188827889518747814720625761404816","175234065597820323714777761210863809454"]},"signature_version":"v1"},{"signature_version":"v1","signature_type":"Function","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-4bbbf1c1","digest":{"length":506,"function_hash":"137043537879747408395383187308486516470"},"target":{"function":"LUKS2_keyslot_area","file":"lib/luks2/luks2_keyslot.c"},"deprecated":false},{"deprecated":false,"signature_version":"v1","id":"CVE-2021-4122-5f4af1e6","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"length":679,"function_hash":"338166959967147955209234897669591738159"},"target":{"function":"reencrypt_load","file":"lib/luks2/luks2_reencrypt.c"},"signature_type":"Function"},{"signature_version":"v1","signature_type":"Function","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-63805ada","digest":{"length":563,"function_hash":"235269997061953916513679884419444083640"},"target":{"function":"_open_and_activate_luks2","file":"lib/setup.c"},"deprecated":false},{"signature_type":"Function","deprecated":false,"source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-639f4ffd","digest":{"length":1139,"function_hash":"210288093199455164781477651976813875503"},"target":{"function":"LUKS2_config_set_requirements","file":"lib/luks2/luks2_json_metadata.c"},"signature_version":"v1"},{"signature_version":"v1","signature_type":"Function","id":"CVE-2021-4122-764a6e11","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"length":4340,"function_hash":"95505938889632888516216132268577428014"},"target":{"function":"reencrypt_init","file":"lib/luks2/luks2_reencrypt.c"},"deprecated":false},{"signature_type":"Line","deprecated":false,"source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-76a4de7c","target":{"file":"lib/luks2/luks2_keyslot_reenc.c"},"digest":{"threshold":0.9,"line_hashes":["282199074063632969436349940632856623192","303837865479555682342154663634542567614","134363837491737712141786229925894019870","256976157891017164809459992679687964043","182576869089759391629278990384034686538","307466094275546557692673559447694800834"]},"signature_version":"v1"},{"signature_version":"v1","signature_type":"Function","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-93e12c3f","target":{"function":"reencrypt_recovery","file":"lib/luks2/luks2_reencrypt.c"},"digest":{"length":708,"function_hash":"220868631105894576907179084446445356065"},"deprecated":false},{"signature_version":"v1","signature_type":"Function","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-a3836cd0","digest":{"length":1690,"function_hash":"321617772863065084398096143904109685690"},"target":{"function":"_open_and_activate_reencrypt_device","file":"lib/setup.c"},"deprecated":false},{"signature_version":"v1","signature_type":"Function","id":"CVE-2021-4122-a7636ebe","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"length":3114,"function_hash":"109013237094827113979040709763486976537"},"target":{"function":"reencrypt_step","file":"lib/luks2/luks2_reencrypt.c"},"deprecated":false},{"signature_version":"v1","signature_type":"Function","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-a7d081f7","digest":{"length":1814,"function_hash":"302011889753504769371368417191478394126"},"target":{"function":"crypt_reencrypt_run","file":"lib/luks2/luks2_reencrypt.c"},"deprecated":false},{"signature_version":"v1","signature_type":"Function","id":"CVE-2021-4122-b8345a88","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","digest":{"length":1175,"function_hash":"133909510209946210242231519014827053130"},"target":{"function":"reencrypt_keyslot_update","file":"lib/luks2/luks2_reencrypt.c"},"deprecated":false},{"signature_version":"v1","signature_type":"Function","source":"https://gitlab.com/cryptsetup/cryptsetup@0113ac2d889c5322659ad0596d4cfc6da53e356c","id":"CVE-2021-4122-be0949d1","target":{"function":"get_requirement_by_name","file":"lib/luks2/luks2_json_metadata.c"},"digest":{"length":278,"function_hash":"317439171003814763278752907044432103689"},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}