CVE-2026-34962

Name of the Vulnerable Software and Affected Versions barebox versions prior to 2026.04.0

Description A denial-of-service issue exists in the ext4 directory parsing within fs/ext4/ext4 common.c. The ext4fs iterate dir() function does not validate that directory entry length values are non-zero. An attacker can provide a malicious ext4 filesystem image containing a crafted directory entry with a direntlen value of 0, triggering an infinite loop during path resolution or directory listing, which causes the boot process to hang indefinitely.

Recommendations Update to version 2026.04.0.