Skip to main content

Openfpgaloader CVE-2026-35170

| EUVDEUVD-2026-19444 HIGH
Out-of-bounds Read (CWE-125)
2026-04-06 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 28, 2026 - 17:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 06, 2026 - 19:30 euvd
EUVD-2026-19444
Analysis Generated
Apr 06, 2026 - 19:30 vuln.today
CVE Published
Apr 06, 2026 - 18:59 nvd
HIGH 7.1

DescriptionGitHub Advisory

openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability.

AnalysisAI

Heap-buffer-overflow in openFPGALoader 1.1.1 and earlier allows local attackers to trigger information disclosure and denial-of-service through maliciously crafted .bit FPGA configuration files. The vulnerability requires user interaction (opening a malicious file) but requires no authentication or FPGA hardware. CVSS base score is 7.1 (High). No public exploit identified at time of analysis, though proof-of-concept development is feasible given the specific vulnerability class and file format parsing context. EPSS data not available.

Technical ContextAI

openFPGALoader is an open-source utility by Gwenhael Goavec-Merou (trabucayre) for programming FPGA devices from various vendors. The vulnerability resides in the BitParser::parseHeader() function responsible for parsing Xilinx .bit bitstream files. CWE-125 (Out-of-bounds Read) indicates the parser fails to properly validate buffer boundaries when processing .bit file headers, allowing reads beyond allocated heap memory. This class of vulnerability is common in file format parsers that lack robust size validation before dereferencing pointers or accessing array indices. The affected component (cpe:2.3:a:trabucayre:openfpgaloader) is a command-line tool typically used in hardware development workflows, making the attack surface contingent on social engineering or supply-chain scenarios where malicious bitstream files are introduced.

RemediationAI

Users should monitor the official GitHub repository at https://github.com/trabucayre/openFPGALoader for a patched release addressing GHSA-v59x-fvpj-j22x. The vendor security advisory at https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x should be consulted for official remediation guidance and fix version availability. Until a patch is released, mitigation measures include processing only .bit files from trusted sources with verified integrity, implementing file validation in automated workflows, running openFPGALoader in sandboxed environments with limited heap memory access, and restricting tool access to authorized hardware developers. Organizations should audit CI/CD pipelines that automatically process bitstream files and implement input validation or quarantine untrusted files. If feasible, use alternative FPGA programming tools until the vulnerability is resolved, or compile openFPGALoader from source with address sanitizer enabled for early detection of exploitation attempts.

Share

CVE-2026-35170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy