libefiboot (efivar) CVE-2026-6862

| EUVD-2026-24957 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-04-22 [email protected]
Denial Of Service
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 22, 2026 - 15:03 vuln.today

DescriptionNVD

A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

AnalysisAI

Libefiboot in efivar fails to validate that EFI device path node length fields meet the 4-byte minimum requirement, allowing local users to trigger infinite recursion and stack exhaustion via crafted device paths. The vulnerability requires user interaction but causes denial of service by crashing affected processes, with no privilege escalation or data compromise. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6862 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy