CVE-2026-33243
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2Description
barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.
Analysis
A signature bypass vulnerability exists in the barebox bootloader's FIT (Flattened Image Tree) image verification mechanism. The hashed-nodes property, which lists which FIT nodes were signed, is not itself part of the cryptographic hash, allowing an attacker with high privileges and local access to modify this property and trick the bootloader into loading malicious images that were never signed. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running barebox versions 2016.03.0-2025.09.2 or 2025.10.0-2026.03.0 and assess exposure in production environments. Within 7 days: Implement compensating controls including strict access controls limiting privileged user access to bootloaders, disable FIT image loading if not critical, and enable secure boot with hardware attestation where available. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today