Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.
Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points
To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint
Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.
Security: CVE-2025-23021
Issue was caused by the fact that Microsoft signing certificate for driver file has changed.
We fix it by updating the SHA512 fingerprint of Microsoft code signing certificate.
This commit increases randomness quality by using more dynamic/varied sources of entropy.
PDH-based disk and network statistics collection in now added to random pool
- Introduced `GetDiskStatistics` to gather disk read/write performance data using PDH API.
- Introduced `GetNetworkStatistics` to gather network send/receive performance data using PDH API.
- Integrated high-resolution timestamps and random intervals to improve entropy in collected data.
- Updated `SlowPoll` function to utilize PDH-based disk and network statistics.
- Removed obsolete NetAPI32-based network statistics collection.
- Add IsWin10BuildAtLeast() helper function to check Windows 10 build numbers
- Replace direct build number comparison with IsWin10BuildAtLeast() for ReflectDrivers check
- Update error message to be more specific about Windows version requirement
During a Windows upgrade, ownership of veracrypt.sys is set to TrustedInstaller, preventing VeraCrypt from accessing the file during an update.
This commit resolves the issue by temporarily taking ownership of the file to rename it, allowing the new file to be copied. The setup process now obtains additional privileges for this operation, which are properly dropped once the file copying is complete.
- Made the maximum work items count configurable to allow flexibility based on system needs.
- Increased the default value of max work items count to 1024 to better handle high-throughput scenarios.
- Queue write IRPs in system worker thread to avoid potential deadlocks in write scenarios.
We always using Unicode functions to interact with UI. We convert UTF8 string to UTF16 and vis-versa.
Overwrite input string instead of using resize that caused old test to remain.
Fix case of readOnly by using correct message.
change position of OK/cancel button to match other dialogs.
Activate translation on this dialog.
This started to cause issues after latest changes to disable privileges when they are no more needed.
Because of the bug, the privileges could not be enabled again because they were wrongly removed.
