Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attacker must locally supply a FIT image with some write/update privilege (AV:L/PR:L); defeating bootloader verification compromises the subsequently booted OS, giving S:C and full C/I/A impact.
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash.
AnalysisAI
FIT image signature verification bypass in Das U-Boot before 2026.04 lets an attacker who can supply a Flat Image Tree get tampered boot components accepted as authentic, defeating verified/secure boot. Because the 'hashed-nodes' list is omitted from the computed hash, an attacker can alter which nodes are actually covered by the signature and load unsigned or modified kernels/images. There is no public exploit identified at time of analysis and EPSS is 0.00%, but SSVC rates technical impact as total, reflecting a full compromise of the chain of trust.
Technical ContextAI
U-Boot is the de-facto bootloader for embedded, ARM, and IoT platforms, and its FIT (Flat Image Tree) format bundles kernels, device trees, ramdisks, and their hash/signature nodes for verified boot. Signature verification is supposed to cover the configuration node plus every referenced image and its hash-* subnodes. The vulnerability (CWE-346, Origin Validation Error) stems from the code in boot/image-fit-sig.c not incorporating the 'hashed-nodes' set correctly into the hash, so the set of nodes that are signed does not match the set that is trusted. The upstream fix (commit 2092322b) rewrites node-list construction via fit_config_get_hash_list()/fit_config_add_hash(), explicitly packing the root node, config node, and each image's hash and cipher subnode paths so the signature deterministically covers all trusted nodes. The affected component is the DENX U-Boot codebase (cpe:2.3:a:denx:u-boot); a parallel advisory (GHSA-3fvj-q26p-j6h4) indicates barebox shares the same class of flaw.
RemediationAI
Vendor-released patch: upgrade to U-Boot 2026.04 or later, which contains the corrected node-hashing logic (upstream commit 2092322b31cc8b1f8c9e2e238d1043ae0637b241). For downstream/board vendors that cannot immediately rebase, backport that commit into your U-Boot fork and reflash the bootloader. Because the fix must ship in firmware, plan a coordinated firmware update for affected fleets. Where an immediate rebuild is not possible, compensating controls include restricting who can write to the boot medium and update channel (physical/storage access is the delivery path, so locking down flash-write and update-signing paths limits exploitation), enabling and enforcing hardware root-of-trust / secure-boot stages prior to U-Boot so a tampered FIT cannot be introduced upstream, and verifying image integrity out-of-band; note these controls reduce but do not eliminate the underlying verification gap, and disabling FIT verified boot is NOT a valid workaround since it removes the protection entirely. Refer to https://nvd.nist.gov/vuln/detail/CVE-2026-46728 and the barebox advisory GHSA-3fvj-q26p-j6h4.
In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md"
Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. Rated high severity (CVSS 7.8), this vu
Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images
nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a fai
DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traf
There exists an unchecked length field in UBoot. Rated high severity (CVSS 7.7), this vulnerability is no authentication
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE CaaS Platform 4.0 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP1 | Fixed |
| SUSE Linux Enterprise Server 15 SP1 | Fixed |
| SUSE Linux Enterprise Server 15 SP1-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.0 | Fixed |
| SUSE Manager Proxy 4.0 | Fixed |
| SUSE Manager Retail Branch Server 4.0 | Fixed |
| SUSE Manager Retail Branch Server 4.0 | Fixed |
| SUSE Manager Server 4.0 | Fixed |
| SUSE Manager Server 4.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30673
GHSA-5cv5-vm4q-7wmx