Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue in the U-Boot component of GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass authentication and gain root access via interrupting the boot sequence and injecting a crafted string into the kernel boot arguments.
AnalysisAI
U-Boot bootloader authentication bypass on GNCC GP5 v7.1.76 grants a physically-proximate attacker full root access to the device by interrupting the boot sequence and injecting crafted kernel boot arguments. The vulnerability stems from insufficient input validation in the bootloader's handling of kernel command-line parameters, allowing an attacker to override security controls set during the normal boot process. Publicly available exploit code exists via a GitHub IoT vulnerability research repository; no CISA KEV listing has been identified at time of analysis, consistent with the physical-access prerequisite limiting widespread automated exploitation.
Technical ContextAI
U-Boot is a widely deployed open-source bootloader used in embedded Linux systems and IoT devices. During the boot sequence, U-Boot constructs and passes a kernel command line (bootargs) to the Linux kernel, which can include parameters that influence root filesystem mounting, init process selection, and console access. The CWE-20 (Improper Input Validation) root cause indicates that GNCC GP5 firmware v7.1.76 fails to restrict or sanitize operator-supplied input to the bootloader console, allowing injection of arbitrary kernel parameters such as 'init=/bin/sh' or 'rw single' that subvert the intended authentication and initialization flow. The CPE data provided is non-specific (cpe:2.3:a:n/a:n/a), so exact affected product scope is derived from the CVE description and EUVD entry EUVD-2026-34278 rather than NVD CPE enumeration. The GNCC GP5 appears to be an IoT device (likely a GPS/tracking unit based on naming conventions and the vendor domain gp5.com) running an embedded Linux stack with U-Boot as the first-stage bootloader.
RemediationAI
No vendor-released patch has been identified at time of analysis. The vendor domains referenced (gncc.com, gp5.com) have not published a security advisory. Organizations using GNCC GP5 devices should contact the vendor directly to request a patched firmware and monitor the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-36175 and VulDB entry https://vuldb.com/vuln/368356 for patch availability updates. As compensating controls, deployers should implement strict physical security measures to prevent unauthorized access to the device, including tamper-evident seals or locked enclosures - this directly addresses the AV:P attack prerequisite. Where the device supports it, enable U-Boot password protection or restrict bootloader console access via U-Boot environment variable locking (setenv bootdelay -1; saveenv), though the effectiveness of this control depends on whether U-Boot itself enforces it prior to the vulnerable input-handling stage. Encrypting on-device storage would limit the value of root access for data exfiltration. Note that without a vendor patch, software-level mitigations may be insufficient if an attacker can reflash the bootloader from external media.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34278
GHSA-4ghq-g4mw-8vf2