Skip to main content

Das U-Boot EUVDEUVD-2026-30673

| CVE-2026-46728 HIGH
Origin Validation Error (CWE-346)
2026-05-16 mitre GHSA-5cv5-vm4q-7wmx
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Attacker must locally supply a FIT image with some write/update privilege (AV:L/PR:L); defeating bootloader verification compromises the subsequently booted OS, giving S:C and full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 14, 2026 - 18:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 18:37 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 18:37 NVD
8.2 (HIGH) 8.8 (HIGH)
Patch available
May 16, 2026 - 23:31 EUVD
Source Code Evidence Fetched
May 16, 2026 - 22:30 vuln.today
Analysis Generated
May 16, 2026 - 22:30 vuln.today

DescriptionNVD

Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash.

AnalysisAI

FIT image signature verification bypass in Das U-Boot before 2026.04 lets an attacker who can supply a Flat Image Tree get tampered boot components accepted as authentic, defeating verified/secure boot. Because the 'hashed-nodes' list is omitted from the computed hash, an attacker can alter which nodes are actually covered by the signature and load unsigned or modified kernels/images. There is no public exploit identified at time of analysis and EPSS is 0.00%, but SSVC rates technical impact as total, reflecting a full compromise of the chain of trust.

Technical ContextAI

U-Boot is the de-facto bootloader for embedded, ARM, and IoT platforms, and its FIT (Flat Image Tree) format bundles kernels, device trees, ramdisks, and their hash/signature nodes for verified boot. Signature verification is supposed to cover the configuration node plus every referenced image and its hash-* subnodes. The vulnerability (CWE-346, Origin Validation Error) stems from the code in boot/image-fit-sig.c not incorporating the 'hashed-nodes' set correctly into the hash, so the set of nodes that are signed does not match the set that is trusted. The upstream fix (commit 2092322b) rewrites node-list construction via fit_config_get_hash_list()/fit_config_add_hash(), explicitly packing the root node, config node, and each image's hash and cipher subnode paths so the signature deterministically covers all trusted nodes. The affected component is the DENX U-Boot codebase (cpe:2.3:a:denx:u-boot); a parallel advisory (GHSA-3fvj-q26p-j6h4) indicates barebox shares the same class of flaw.

RemediationAI

Vendor-released patch: upgrade to U-Boot 2026.04 or later, which contains the corrected node-hashing logic (upstream commit 2092322b31cc8b1f8c9e2e238d1043ae0637b241). For downstream/board vendors that cannot immediately rebase, backport that commit into your U-Boot fork and reflash the bootloader. Because the fix must ship in firmware, plan a coordinated firmware update for affected fleets. Where an immediate rebuild is not possible, compensating controls include restricting who can write to the boot medium and update channel (physical/storage access is the delivery path, so locking down flash-write and update-signing paths limits exploitation), enabling and enforcing hardware root-of-trust / secure-boot stages prior to U-Boot so a tampered FIT cannot be introduced upstream, and verifying image integrity out-of-band; note these controls reduce but do not eliminate the underlying verification gap, and disabling FIT verified boot is NOT a valid workaround since it removes the protection entirely. Refer to https://nvd.nist.gov/vuln/detail/CVE-2026-46728 and the barebox advisory GHSA-3fvj-q26p-j6h4.

More in U Boot

View all
CVE-2022-34835 CRITICAL POC
9.8 Jun 30

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md"

CVE-2022-30790 HIGH POC
7.8 Jun 08

Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. Rated high severity (CVSS 7.8), this vu

CVE-2020-10648 HIGH POC
7.8 Mar 19

Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images

CVE-2022-30767 CRITICAL POC
9.8 May 16

nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a fai

CVE-2018-18439 CRITICAL POC
9.8 Nov 20

DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traf

CVE-2022-2347 HIGH POC
7.7 Sep 23

There exists an unchecked length field in UBoot. Rated high severity (CVSS 7.7), this vulnerability is no authentication

CVE-2019-14199 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14193 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14203 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14202 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14201 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14200 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

EUVD-2026-30673 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy