Sascha Hauer

**Name of the Vulnerable Software and Affected Versions** barebox versions 2016.03.0 through 2025.09.2 barebox versions 2025.10.0 through 2026.03.0 **Description** barebox is a bootloader. When creating a FIT (Firmware Image Table), the `mkimage(1)` function sets the `hashed-nodes` property of the FIT signature node. This property lists the nodes of the FIT that were hashed during the signing process for later verification by the bootloader. However, the `hashed-nodes` property itself is not included in the hash, allowing an attacker to modify it. This modification can potentially trick the bootloader into booting images that have not been verified. **Recommendations** Update to barebox version 2025.09.3 or later. Update to barebox version 2026.03.1 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** The vulnerability is related to the `mwifiex get priv by id()` function in the Linux kernel, which returns a priv pointer corresponding to the `bss num` and `bss type` without checking if the priv is actually in use. This can lead to NULL pointer dereferences further down the call stack. The issue occurs when an Access Point is started with `wpa supplicant` and a specific configuration, causing a kernel NULL pointer dereference at a virtual address. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.52 or later. As a temporary workaround, consider disabling the `mwifiex get cfp()` function until a patch is available. Restrict access to the vulnerable `mwifiex` module to minimize the risk of exploitation. Avoid using the `ssid`, `mode`, `frequency`, `key mgmt`, `proto`, `group`, `pairwise`, and `psk` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Pengutronix barebox versions prior to 2019.08.1 **Description** The issue is related to a remote buffer overflow in the `nfs readlink reply` function located in `net/nfs.c`. This occurs because a length field is directly used for a `memcpy`, which can lead to a buffer overflow. **Recommendations** For versions prior to 2019.08.1, update to a version that contains a fix for this issue.