Barebox

barebox

Vendor: Pengutronix • 10 CVEs

CVEs (10)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-34963 1Pengutronix 1Barebox May 13, 2026 May 11, 2026 8.6 HIGH· v4 7.8 HIGH· v3 N/A· v2 barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section Virtu...Show more barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.Show less
CVE-2026-34962 1Pengutronix 1Barebox May 13, 2026 May 11, 2026 6.9 MEDIUM· v4 5.5 MEDIUM· v3 N/A· v2 barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length value...Show more barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesystem image with a crafted directory entry containing a direntlen value of 0 to cause an infinite loop during directory listing or path resolution, resulting in the boot process hanging indefinitely.Show less
CVE-2026-34961 1Pengutronix 1Barebox May 13, 2026 May 11, 2026 6.9 MEDIUM· v4 7.7 HIGH· v3 N/A· v2 barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supp...Show more barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.Show less
CVE-2026-34960 1Pengutronix 1Barebox May 16, 2026 May 11, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type() function that fails to verify the options pointer remains within received packet bound...Show more barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type() function that fails to verify the options pointer remains within received packet bounds. An attacker on the same broadcast domain can send a crafted DHCP Offer or ACK packet without a proper 0xff end marker to cause the parser to read past valid packet data and potentially crash the system.Show less
CVE-2026-33243 2Denx Pengutronix 2Barebox U Boot Mar 26, 2026 Mar 20, 2026 N/A· v4 8.2 HIGH· v3 N/A· v2 barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the boot...Show more barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.Show less
CVE-2021-37848 1Pengutronix 1Barebox Nov 21, 2024 Aug 2, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison.
CVE-2021-37847 1Pengutronix 1Barebox Nov 21, 2024 Aug 2, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest verification.
CVE-2020-13910 1Pengutronix 1Barebox Nov 21, 2024 Jun 7, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nfs_read_reply in net/nfs.c because a field of an incoming network packet is directly used as a length field without any bounds check.
CVE-2019-15938 1Pengutronix 1Barebox Nov 21, 2024 Sep 5, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Pengutronix barebox through 2019.08.1 has a remote buffer overflow in nfs_readlink_req in fs/nfs.c because a length field is directly used for a memcpy.
CVE-2019-15937 1Pengutronix 1Barebox Nov 21, 2024 Sep 5, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Pengutronix barebox through 2019.08.1 has a remote buffer overflow in nfs_readlink_reply in net/nfs.c because a length field is directly used for a memcpy.