Keylime Verifier Hardcoded Nonce Enables TPM Quote Replay
CVE-2026-6420 Published on May 6, 2026

Keylime: keylime: security bypass due to hardcoded tpm quote nonce
A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment.

NVD

Vulnerability Analysis

CVE-2026-6420 is exploitable with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Timeline

Reported to Red Hat.

Made public. 20 days later.

Weakness Type

Use of Predictable Algorithm in Random Number Generator

The device uses an algorithm that is predictable and generates a pseudo-random number.


Products Associated with CVE-2026-6420

Want to know whenever a new CVE is published for Red Hat Enterprise Linux (RHEL)? stack.watch will email you.

Red Hat Enterprise Linux (RHEL)
 

Affected Versions

Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 9: