Ahmad Fatoum

**Name of the Vulnerable Software and Affected Versions** barebox versions 2016.03.0 through 2025.09.2 barebox versions 2025.10.0 through 2026.03.0 **Description** barebox is a bootloader. When creating a FIT (Firmware Image Table), the `mkimage(1)` function sets the `hashed-nodes` property of the FIT signature node. This property lists the nodes of the FIT that were hashed during the signing process for later verification by the bootloader. However, the `hashed-nodes` property itself is not included in the hash, allowing an attacker to modify it. This modification can potentially trick the bootloader into booting images that have not been verified. **Recommendations** Update to barebox version 2025.09.3 or later. Update to barebox version 2026.03.1 or later.

**Nome do Software Vulnerável e Versões Afetadas** versões do barebox anteriores a 2025.01.0 **Descrição** O problema está relacionado a um estouro de inteiro na função `request2size` em `common/dlmalloc.c`. **Recomendações** Para versões anteriores a 2025.01.0, atualize para a versão 2025.01.0 ou posterior para resolver o problema.