Barebox
CVE-2026-33243
HIGH
Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.
AnalysisAI
A signature bypass vulnerability exists in the barebox bootloader's FIT (Flattened Image Tree) image verification mechanism. The hashed-nodes property, which lists which FIT nodes were signed, is not itself part of the cryptographic hash, allowing an attacker with high privileges and local access to modify this property and trick the bootloader into loading malicious images that were never signed. This affects barebox versions 2016.03.0 through 2025.09.2 and 2025.10.0 through 2026.03.0, with patches available in versions 2025.09.3 and 2026.03.1.
Technical ContextAI
Barebox is an embedded systems bootloader commonly used in industrial and embedded Linux environments. The vulnerability affects the FIT (Flattened Image Tree) image format verification process, specifically in how mkimage generates signature nodes. According to CPE cpe:2.3:a:barebox:barebox, the issue stems from CWE-345 (Insufficient Verification of Data Authenticity), where the hashed-nodes property acts as metadata describing what was signed but is not itself cryptographically protected. This architectural flaw allows the integrity check to be subverted by modifying which nodes the bootloader believes should be verified, effectively creating a semantic gap between what was signed and what gets verified during secure boot.
RemediationAI
Upgrade barebox to version 2025.09.3 or later for the 2025.09.x branch, or to version 2026.03.1 or later for the 2026.03.x branch. The fix is documented in commit aca01795056d51060cb096f9a1ea309361743e05 available at https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05. Organizations should review their bootloader versions and update according to the guidance in https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4. As a defense-in-depth measure, implement strict access controls to boot media and image signing infrastructure, and establish monitoring for unauthorized modifications to FIT images in the boot chain. Where immediate patching is not feasible, consider implementing hardware-based secure boot mechanisms or verified boot chains that provide independent cryptographic validation.
common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash
crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest v
Pengutronix barebox through 2019.08.1 has a remote buffer overflow in nfs_readlink_req in fs/nfs.c because a length fiel
Pengutronix barebox through 2019.08.1 has a remote buffer overflow in nfs_readlink_reply in net/nfs.c because a length f
Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nfs_read_reply in net/nfs.c because a field of an in
barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe
barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_m
barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_
barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing val
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today