Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability.
AnalysisAI
Heap-buffer-overflow in openFPGALoader 1.1.1 and earlier allows local attackers to trigger information disclosure and denial-of-service through maliciously crafted .bit FPGA configuration files. The vulnerability requires user interaction (opening a malicious file) but requires no authentication or FPGA hardware. CVSS base score is 7.1 (High). No public exploit identified at time of analysis, though proof-of-concept development is feasible given the specific vulnerability class and file format parsing context. EPSS data not available.
Technical ContextAI
openFPGALoader is an open-source utility by Gwenhael Goavec-Merou (trabucayre) for programming FPGA devices from various vendors. The vulnerability resides in the BitParser::parseHeader() function responsible for parsing Xilinx .bit bitstream files. CWE-125 (Out-of-bounds Read) indicates the parser fails to properly validate buffer boundaries when processing .bit file headers, allowing reads beyond allocated heap memory. This class of vulnerability is common in file format parsers that lack robust size validation before dereferencing pointers or accessing array indices. The affected component (cpe:2.3:a:trabucayre:openfpgaloader) is a command-line tool typically used in hardware development workflows, making the attack surface contingent on social engineering or supply-chain scenarios where malicious bitstream files are introduced.
RemediationAI
Users should monitor the official GitHub repository at https://github.com/trabucayre/openFPGALoader for a patched release addressing GHSA-v59x-fvpj-j22x. The vendor security advisory at https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x should be consulted for official remediation guidance and fix version availability. Until a patch is released, mitigation measures include processing only .bit files from trusted sources with verified integrity, implementing file validation in automated workflows, running openFPGALoader in sandboxed environments with limited heap memory access, and restricting tool access to authorized hardware developers. Organizations should audit CI/CD pipelines that automatically process bitstream files and implement input validation or quarantine untrusted files. If feasible, use alternative FPGA programming tools until the vulnerability is resolved, or compile openFPGALoader from source with address sanitizer enabled for early detection of exploitation attempts.
More in Openfpgaloader
View allSame weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19444