CVE-2026-33243

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05	Patch
https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:denx:u-boot::::::::
	cpe:2.3:a:denx:u-boot:2026.04:rc1::::::
	cpe:2.3:a:denx:u-boot:2026.04:rc2::::::
	cpe:2.3:a:denx:u-boot:2026.04:rc3::::::
	cpe:2.3:a:pengutronix:barebox::::::::
	cpe:2.3:a:pengutronix:barebox::::::::

History

No history.

Information

Published : 2026-03-20 23:16

Updated : 2026-03-26 21:17

NVD link : CVE-2026-33243

Mitre link : CVE-2026-33243

CVE.ORG link : CVE-2026-33243

JSON object : View

Products Affected

denx

u-boot

pengutronix

barebox

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2026-33243", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2026-03-20T23:16:47.167", "references": [{"url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3."}, {"lang": "es", "value": "barebox es un gestor de arranque. En barebox desde la versi\u00f3n 2016.03.0 hasta antes de la versi\u00f3n 2025.09.3 y desde la versi\u00f3n 2025.10.0 hasta antes de la versi\u00f3n 2026.03.1, al crear un FIT, mkimage(1) establece la propiedad hashed-nodes del nodo de firma FIT para listar qu\u00e9 nodos del FIT fueron hasheados como parte del proceso de firma, ya que estos deber\u00e1n ser verificados posteriormente por el gestor de arranque. Sin embargo, hashed-nodes en s\u00ed mismo no forma parte del hash y por lo tanto puede ser modificado por un atacante para enga\u00f1ar al gestor de arranque para que arranque im\u00e1genes diferentes a las que han sido verificadas. Este problema ha sido parcheado en las versiones de barebox 2025.09.3 y 2026.03.1."}], "lastModified": "2026-03-26T21:17:05.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73526136-D89A-4F96-AB26-FE78052494BA", "versionEndExcluding": "2026.04", "versionStartIncluding": "2013.07"}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39D97BA6-0B7B-4633-971E-3C79C58A57A5"}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94B93B6C-02D1-42C9-B862-C945511A0297"}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86FAEAE1-FCD8-426D-9452-E1885014C9A9"}, {"criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9C10736-4F83-4DFE-B39D-8F93E6C8D55D", "versionEndExcluding": "2025.09.3", "versionStartIncluding": "2016.03.0"}, {"criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D19A8826-6289-4EEA-8093-8F92E7A66461", "versionEndExcluding": "2026.03.1", "versionStartIncluding": "2025.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}