Menu

1.26.29 Released 2026/6/9

General Discussion
Enigma2Illusion
1 day ago
14 hours ago

  • Enigma2Illusion

    Enigma2Illusion - 1 day ago

    Version 1.26 and newer VeraCrypt versions have deprecated the following features:

    • TrueCrypt Mode
    • HMAC-RIPEMD-160 Hash Algorithm
    • GOST89 Encryption Algorithm

    .
    See the documentation below for remediation procedures.

    Conversion Guide for VeraCrypt 1.26 and Later

    Warning to users who created hidden volumes inside file containers using VeraCrypt 1.26.6 through 1.26.28:

    A security issue fixed in VeraCrypt 1.26.29 may affect the plausible deniability of these hidden volumes. If you rely on plausible deniability, you should recreate the affected outer file container and its hidden volume using VeraCrypt 1.26.29 or later, then securely erase the old container.

    https://sourceforge.net/projects/veracrypt/files/VeraCrypt%201.26.29/

    Changes between 1.26.24 and 1.26.29 (9 June 2026):

    • All OSes:

      • Add Argon2id as an alternative memory-hard KDF for non-system volumes.
      • Use "KDF" terminology in the user interface and documentation instead of "PKCS-5 PRF".
      • Update logo icons with simplified icons without extra label text.
      • Harden XML and TLV parsers against malformed input.
      • Security: Fix GHSA-94c6-mgmv-mqc5: non-default WOLFCRYPT=1 builds now use wolfCrypt PBKDF2 instead of HKDF and honor VeraCrypt's PBKDF2 iteration count.
        - Reported by https://github.com/vastblast
        - CVE-2026-53762
      • Fix CPU feature detection and crypto implementation edge cases, including AVX2/leaf 7 detection, BLAKE2s/Argon2 no-SSE2 x86 fallback paths, Camellia SSSE3 dispatch, Twofish x64 multiblock tail handling and Whirlpool alignment.
      • Update documentation, including Argon2id/KDF information and split Windows/Unix command line usage pages.
      • Update translations.

    .

    • Windows:

      • Fix rare BSOD (Blue Screen of Death) issue affecting the VeraCrypt driver.
      • Fix hibernation crash on fresh Windows 11 25H2 installations.
      • Security: Fix GHSA-jjcr-75w7-58jp: hidden volume quick format no longer uses the file-container allocation shortcut that wrote plaintext zero sectors at 128 MiB intervals, preserving plausible deniability.
        - Reported by https://github.com/vastblast
        - Regression introduced in 1.26.6
        - CVE-2026-54073
      • Harden Windows driver input validation and crash dump filter handling (GH PR #1590).
      • Improve driver I/O handling, including safer request completion, ordered volume flush barriers, and better VERIFY/TRIM validation.
      • Fix PBKDF XSTATE cleanup and add Win64 unwind metadata for AES assembly.
      • Speed up mounting when KDF autodetection is selected.
      • Allow selecting which KDF algorithms are included in the benchmark dialog.
      • Allow canceling long mount operations from the wait dialog and with the new /cancelmount CLI switch, including auto-mount scans.
      • Add support for new Microsoft UEFI CA 2023 signed EFI bootloaders while preserving Microsoft UEFI CA 2011 support.
      • Improve EFI system encryption repair and upgrade handling, including stuck decryption finalization, Post-OOBE repair, loader restoration verification, and clearer missing-loader reporting.
      • Fix EFI DcsProp rewrite handling.
      • Fix ghost drive letter after command line unmount (GH #337, GH #1426).
      • Fix favorite volume mount race.
      • Validate PIM when changing only the KDF.
      • Fix elevated COM format drive validation and device path normalization (GH #1670).
      • Fix ReFS formatting during volume creation.
      • Fix MSI traveler disk creation with WHQL-signed drivers, ARM64 MSI build, Start Menu folder upgrades, and discovery of newer SDK MSI tools.
      • Add CLI switch /protectScreen to allow disabling screen protection in portable mode (cf documentation).
      • Add argument to CLI switch /protectMemory to allow disabling memory protection in portable mode (cf documentation).
      • Add setting and CLI switch /enableIME to allow enabling Input Method Editor (IME) in Secure Desktop.
      • Use tab control for VeraCrypt preferences to reduce clutter and size of the dialog.
      • Provide VeraCrypt C/C++ SDK for creating volumes (https://github.com/veracrypt/VeraCrypt-SDK).
      • Update LZMA SDK to version 26.01.

    .

    • Linux:

      • Update Ubuntu 25.04 dependency to require libwxgtk3.2-1t64 package.
      • Add support for building against FUSE3.
      • Add in-kernel NTFS driver selection for NTFS mounts, including --filesystem=kernel-ntfs and -m kernelntfs.
        --filesystem=ntfs3 now pins the kernel ntfs3 driver and bypasses mount helpers such as mount.ntfs3.
      • Fix AppImage portability and language loading, bundle a matching FUSE library, and allow AppImage file name to start with "veracrypt" in any case.
      • Suppress redundant "already running" dialog and store the GUI instance lock under XDG paths.
      • Add emergency cleanup for stale unmounts.
      • Parallelize header KDF autodetection.
      • Honor nokernelcrypto during external formatting.
      • On WSL, open mounted volumes using Windows Explorer.
      • Add support for reproducible Linux builds, including SOURCE_DATE_EPOCH handling, DEB/RPM packages, and Arch package builds.
      • Add OpenWrt package build and QEMU test scripts.
      • Fix CMake 4 compatibility, CentOS 6 GCC 4.4 builds, and wxWidgets-related build issues.

    .

    • Linux and macOS:

      • Fix initial width of columns in main UI.
      • Enable Quick Format for normal file containers. The container is sized with ftruncate(), so the host filesystem may keep regions unwritten or sparse until data is written to them.
      • Fix hidden volume size estimation for exFAT outer volumes.
      • Fix hidden volume FAT size limit handling.
      • Fix erroneous 2 TiB limit for hidden file containers in GUI wizard.
      • Show volume creation finalization stages.
      • Collect mouse entropy from nested controls in the volume creation wizard.
      • Fix remaining wxWidgets sizer flags.

    .

    • macOS:

      • Use SMB backend for FUSE-T auxiliary mounts and improve FUSE-T SMB metadata handling and mount stability.
      • Recover mounted volume mount points.
      • Validate format wizard device targets and block partitioned whole-disk alias bypasses.
      • Run APFS formatter elevated when needed and prepare APFS formatter device aliases.
      • Force fresh exFAT layout when formatting volumes.
      • Fix Command-A in password fields.
      • Link against wxWidgets 3.2.10 and allow overriding the deployment target.

    .

    • BSD:

      • FreeBSD: link static wxWidgets builds with iconv.
      • OpenBSD: fix device-hosted volume sizing, honor doas user for mount ownership and FUSE access, and fix CLI build and PCSC exit handling.
     
    👍
    1
    ❤️
    3

    Last edit: Enigma2Illusion 20 hours ago

  • Davide

    Davide - 1 day ago

    Thank you so much, as always, for your efforts.

    I downloaded and installed it on a laptop with W11 25H2. Upon reboot, it told me the Windows Hello PIN wasn't available and asked me to reset it.
    Has this happened to anyone else? It's a minor issue, anyway.

    Thanks again.

     

  • Marcos Morar

    Marcos Morar - 1 day ago

    There is an additional option labeled "Mixing PRF" that appears when changing the Header Key Derivation Algorithm. It is only available during this specific process and includes a new algorithm: "BLAKE2b-512".

    Neither of these features is mentioned in the release notes, nor are they explained anywhere else.

     

    • Enigma2Illusion

      Enigma2Illusion - 1 day ago

      This is not a new feature and has been in existence since the TrueCrypt software which is/was the foundation of VeraCrypt software which uses more/different PRFs.

      You are merely adding more randomness to VeraCrypt to generate the final header key.

      You can select any of the available Mixing PRF's to help randomize the mixing pool.

      Using my test file container, I selected a Mixing PDF that is different from my new KDF algorithm which does not change mounting the volume using the new KDF.

      Example:
      Old KDF = SHA512-PBKDF2
      New KDF = BLAKE2S-PBKDF2

      Mixing PRF = Whirlpool-PBKDF2

      I still mount the volume using the new KDF of BLAKE2S-PBKDF2 since the Mixing PRF is used to help VeraCrypt randomness for creating the final header key.

      https://veracrypt.jp/en/Header%20Key%20Derivation.html

      https://veracrypt.jp/en/Random%20Number%20Generator.html

      This is the same process you perform when creating a new volume on the Volume Format screen that instructs you to move your mouse to increase randomness.

      See Step 11 at the link below:

      https://veracrypt.jp/en/Beginner%27s%20Tutorial.html

      @idrassi
      The only difference is the Volume Format screen does not give you a choice of Mixing PRF options like the Set Header Key Derivation Algorithm screen. I don't know why they are different.

       

      Last edit: Enigma2Illusion 1 day ago

  • Marcos Morar

    Marcos Morar - 1 day ago

    I have never used the "Set Header Key Derivation Algorithm" option before. If I needed to change the hash algorithm, I would simply use Change Password. That's why I never noticed this option. But the option should be there at the time of encrypted volume creation.

    Blake2b-512 wasn't available before, I think. Now I can see it on Windows but not on Linux. It will be available for Linux later?

     

    • Enigma2Illusion

      Enigma2Illusion - 1 day ago

      You can change a non-system encrypted volume's hash algorithm using the button Volume Tools > "Set Header Key Derivation Algorithm" option.

      For changing the hash algorithm for system encryption, use to the menu System > "Set Header Key Derivation Algorithm" option. Afterwards, be sure to recreate your VeraCrypt Rescue Disk.

      The Tools > "Set Header Key Derivation Algorithm" option is always available.

      Blake2b-512 wasn't available before, I think. Now I can see it on Windows but not on Linux. It will be available for Linux later?

      .
      1.26.7 (October 1st, 2023)

      All OSes:

      .
      VeraCrypt uses BLAKE2S-256 and not 512.

      https://veracrypt.jp/en/BLAKE2s-256.html

       

      Last edit: Enigma2Illusion 1 day ago

      • Marcos Morar

        Marcos Morar - 16 hours ago

        For changing the hash algorithm for system encryption, use to the menu System > "Set Header Key Derivation Algorithm" option.

        I believe this feature isn't available for UEFI, as the option is disabled on my end. Even in the Change Password section, the KDF selection is grayed out.

         

        • Enigma2Illusion

          Enigma2Illusion - 14 hours ago

          @marcos-morar

          I believe this feature isn't available for UEFI, as the option is disabled on my end. Even in the Change Password section, the KDF selection is grayed out.

          .
          I wonder if this is due to the VeraCrypt bootloader would need to be changed and due to the complexity of UEFI verses MBR is causing the program menu System > "Set Header Key Derivation Algorithm" and "Change Password" to be greyed-out?

           

  • Dainsczik

    Dainsczik - 21 hours ago

    Long life to Veracrypt !
    Sadly, some language settings are not working properly (French for example, must of them stay in English).
    This is secondary, it does not strictly speaking concern the operation of Veracrypt.

     

  • Wally White

    Wally White - 20 hours ago

    Was just recently thinking it had been a while since VC had updated. Cheers!

    That said, I have a minor-ish bug to report, at least with my installation: Since installing v1.26.29, the VC bootloader is a little messed up, as the Password: ***** line now appears at the top of the screen, overwriting the text there. It still functions fine, but looks kinda janky. (I’m kinda surprised I’m the first to report this here, which makes me suspect it may be unique to my installation … just my luck.)

     

Log in to post a comment.

Auth0 Logo