PT-2026-26702 · Barebox · Barebox
Ahmad Fatoum
+1
·
Published
2026-03-20
·
Updated
2026-05-16
·
CVE-2026-33243
CVSS v3.1
8.2
High
| Vector | AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
barebox versions 2016.03.0 through 2025.09.2
barebox versions 2025.10.0 through 2026.03.0
Description
barebox is a bootloader. When creating a FIT (Firmware Image Table), the
mkimage(1) function sets the hashed-nodes property of the FIT signature node. This property lists the nodes of the FIT that were hashed during the signing process for later verification by the bootloader. However, the hashed-nodes property itself is not included in the hash, allowing an attacker to modify it. This modification can potentially trick the bootloader into booting images that have not been verified.Recommendations
Update to barebox version 2025.09.3 or later.
Update to barebox version 2026.03.1 or later.
Exploit
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Barebox