CVE-2026-6862

Name of the Vulnerable Software and Affected Versions efivar (affected versions not specified)

Description A flaw exists in the device path node parser of libefiboot, a component of efivar. The parser does not validate that the Length field of each node is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user can provide a specially crafted device path node to trigger infinite recursion, leading to stack exhaustion and a process crash, which results in a denial of service (DoS).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.