Update the old logo with a simplified one without extra label text.
.ico and .icns are updated on Windows and macOS, and .png, .svg
are added on Linux and FreeBSD.
Original logo design by Andreas Becker, recreated by danielwerg with
some edits and symbolic version by me.
This update introduces a screen protection mechanism that leverages the Windows Display Affinity API to prevent screen capture, screen recording, and inclusion in the Windows 11 Recall feature. By default, all VeraCrypt windows, menus, and tooltips are protected. Users can enable or disable this feature through a new setting available in the application Preferences, as well as in the installer and MSI configurations.
This enhances user privacy by mitigating potential leaks of sensitive interface content.
Note: Due to a regression in Windows 11 affecting layered windows, ComboBox dropdowns cannot currently be protected by this mechanism.
The cascade order has been updated so that SM4 is applied after the other cipher(s) (e.g., Serpent). This change reflects standard cryptanalytic guidance, which shows that the overall strength of a cascade is limited by the first encryption stage. Given that SM4 uses a 128-bit key, its post-quantum brute-force resistance is lower than ciphers with a 256-bit key (such as Serpent). By placing SM4 last, we ensure that any potential weakness in SM4 cannot reduce the security margin provided by the stronger cipher.
Replaced hardcoded 0x56455241 ('VERA') with TC_HEADER_MAGIC for better readability and maintainability.
Also replaced 0x5645524142455854 with TC_BOOT_DRIVE_FILTER_EXTENSION_MAGIC and added 'ULL' suffix for 64-bit safety.
* refactor: use UNMOUNT instead of DISMOUNT in code
This change updates the term DISMOUNT in constants to UNMOUNT.
Other occurrences (e.g. variable names) are left alone for now.
* refactor(ui): use unmount instead of dismount
This change updates the GUI text and replaces dismount with unmount.
* docs: update term dismount -> unmount
* refactor(cmdline): add unmount
This change adds an argument 'unmount' for command line usage, while
trying to deprecate the old disnount argument.
The current dismount argument/flag will still work to not introduce
a breaking change.
* docs: mention that /dismount is deprecated
This change fixes the shorthand version of the argument /unmount
It also adds back the info for /dismount and that it is deprecated.
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.
Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points
To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint
Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.
Security: CVE-2025-23021
Issue was caused by the fact that Microsoft signing certificate for driver file has changed.
We fix it by updating the SHA512 fingerprint of Microsoft code signing certificate.
This commit increases randomness quality by using more dynamic/varied sources of entropy.
PDH-based disk and network statistics collection in now added to random pool
- Introduced `GetDiskStatistics` to gather disk read/write performance data using PDH API.
- Introduced `GetNetworkStatistics` to gather network send/receive performance data using PDH API.
- Integrated high-resolution timestamps and random intervals to improve entropy in collected data.
- Updated `SlowPoll` function to utilize PDH-based disk and network statistics.
- Removed obsolete NetAPI32-based network statistics collection.
