CVE-2026-33243

Name of the Vulnerable Software and Affected Versions barebox versions 2016.03.0 through 2025.09.2 barebox versions 2025.10.0 through 2026.03.0

Description barebox is a bootloader. When creating a FIT (Firmware Image Table), the mkimage(1) function sets the hashed-nodes property of the FIT signature node. This property lists the nodes of the FIT that were hashed during the signing process for later verification by the bootloader. However, the hashed-nodes property itself is not included in the hash, allowing an attacker to modify it. This modification can potentially trick the bootloader into booting images that have not been verified.

Recommendations Update to barebox version 2025.09.3 or later. Update to barebox version 2026.03.1 or later.