Skip to main content

Barebox CVE-2026-33243

HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-03-20 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 23:16 vuln.today
CVE Published
Mar 20, 2026 - 22:51 nvd
HIGH 8.2

DescriptionGitHub Advisory

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.

AnalysisAI

A signature bypass vulnerability exists in the barebox bootloader's FIT (Flattened Image Tree) image verification mechanism. The hashed-nodes property, which lists which FIT nodes were signed, is not itself part of the cryptographic hash, allowing an attacker with high privileges and local access to modify this property and trick the bootloader into loading malicious images that were never signed. This affects barebox versions 2016.03.0 through 2025.09.2 and 2025.10.0 through 2026.03.0, with patches available in versions 2025.09.3 and 2026.03.1.

Technical ContextAI

Barebox is an embedded systems bootloader commonly used in industrial and embedded Linux environments. The vulnerability affects the FIT (Flattened Image Tree) image format verification process, specifically in how mkimage generates signature nodes. According to CPE cpe:2.3:a:barebox:barebox, the issue stems from CWE-345 (Insufficient Verification of Data Authenticity), where the hashed-nodes property acts as metadata describing what was signed but is not itself cryptographically protected. This architectural flaw allows the integrity check to be subverted by modifying which nodes the bootloader believes should be verified, effectively creating a semantic gap between what was signed and what gets verified during secure boot.

RemediationAI

Upgrade barebox to version 2025.09.3 or later for the 2025.09.x branch, or to version 2026.03.1 or later for the 2026.03.x branch. The fix is documented in commit aca01795056d51060cb096f9a1ea309361743e05 available at https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05. Organizations should review their bootloader versions and update according to the guidance in https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4. As a defense-in-depth measure, implement strict access controls to boot media and image signing infrastructure, and establish monitoring for unauthorized modifications to FIT images in the boot chain. Where immediate patching is not feasible, consider implementing hardware-based secure boot mechanisms or verified boot chains that provide independent cryptographic validation.

Share

CVE-2026-33243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy