Skip to main content

libefiboot (efivar) EUVDEUVD-2026-24957

| CVE-2026-6862 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-04-22 secalert@redhat.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch released
Apr 29, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 15:03 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24957
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

AnalysisAI

Libefiboot in efivar fails to validate that EFI device path node length fields meet the 4-byte minimum requirement, allowing local users to trigger infinite recursion and stack exhaustion via crafted device paths. The vulnerability requires user interaction but causes denial of service by crashing affected processes, with no privilege escalation or data compromise. No active exploitation has been confirmed at the time of analysis.

Technical ContextAI

Libefiboot is a component of the efivar library responsible for parsing and handling EFI (Extensible Firmware Interface) device path nodes. EFI device path node headers contain a Length field that specifies the size of each node in the path structure. The parser traverses device path chains by reading and validating each node; however, it does not enforce the minimum 4-byte requirement for the node header size. This allows an attacker to craft malformed device paths with undersized Length fields that cause the parser to enter infinite loops while recursing through the node chain, rapidly exhausting stack memory. The root cause is improper input validation (CWE-674: Uncontrolled Recursion), where the parser does not check bounds before following node pointers.

RemediationAI

Apply vendor patches when available from your distribution or the efivar project. Interim mitigation includes restricting local user access to EFI device path processing tools and avoiding execution of untrusted firmware utilities or EFI applications that invoke libefiboot parsing. If libefiboot is used in a service context, disable or isolate the feature that processes external device paths until a patched version is deployed. Verify patch application by checking that the device path node parser now validates the 4-byte minimum Length field requirement before recursing. Consult RedHat advisories at https://access.redhat.com/security/cve/CVE-2026-6862 and Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2459982 for vendor-specific patched versions and timelines.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

EUVD-2026-24957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy