This update introduces a screen protection mechanism that leverages the Windows Display Affinity API to prevent screen capture, screen recording, and inclusion in the Windows 11 Recall feature. By default, all VeraCrypt windows, menus, and tooltips are protected. Users can enable or disable this feature through a new setting available in the application Preferences, as well as in the installer and MSI configurations.
This enhances user privacy by mitigating potential leaks of sensitive interface content.
Note: Due to a regression in Windows 11 affecting layered windows, ComboBox dropdowns cannot currently be protected by this mechanism.
* refactor: use UNMOUNT instead of DISMOUNT in code
This change updates the term DISMOUNT in constants to UNMOUNT.
Other occurrences (e.g. variable names) are left alone for now.
* refactor(ui): use unmount instead of dismount
This change updates the GUI text and replaces dismount with unmount.
* docs: update term dismount -> unmount
* refactor(cmdline): add unmount
This change adds an argument 'unmount' for command line usage, while
trying to deprecate the old disnount argument.
The current dismount argument/flag will still work to not introduce
a breaking change.
* docs: mention that /dismount is deprecated
This change fixes the shorthand version of the argument /unmount
It also adds back the info for /dismount and that it is deprecated.
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.
Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points
To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint
Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.
Security: CVE-2025-23021
* Implement Language selection into settings
Initial commit to create a new tab in PreferencesNotebook for
Language selection. By default, if nothing is chosen, it uses the
current behaviour of using the language from system environment
variables. If another language is chosen from the settings, it is
saved into the Configuration.xml and this is used instead.
* Fix SetStringSelection() assert issue on macOS
* Add header include to fix build
* Add current language pack, authors and way to use literal strings
* Translations also for FreeBSD
* Minimal GTK3 WX build on FreeBSD requires wxGraphicsContext
* Get Preferences properly instead of workaround function
* Use WrapSizer instead of BoxSizer for author line
This forces long author lists to be put on a new line, reducing
the need to increase window width.
* Update Finnish translation
* Borrow translation from IDM_LANGUAGE where it makes sense
* Remove colon and thus unneeded function
* Simplify Language tab layout
* Reintroduce macOS specific fixes to Forms.cpp
* cleanup
