PT-2026-39850 · Barebox · Barebox
Kazuma Matsumoto
·
Published
2026-05-11
·
Updated
2026-05-13
·
CVE-2026-34961
CVSS v3.1
7.7
High
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
barebox versions prior to 2026.04.0
Description
An out-of-bounds read exists in the ext4 extent parsing process due to missing validation of the
eh entries field against buffer capacity within the fs/ext4/ext4 common.c file. An attacker can trigger heap out-of-bounds reads during boot-time filesystem parsing by providing a malicious ext4 filesystem image via USB, SD card, or network boot, which may allow redirecting reads to arbitrary disk offsets.Recommendations
Update to version 2026.04.0 or later.
Fix
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Barebox