CVE-2026-33243

Published: Mar 21, 2026 Last Modified: Mar 21, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,2

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: high

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.

345

Insufficient Verification of Data Authenticity

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other

Potential Impacts:

Varies By Context Unexpected State

Applicable Platforms

Technologies: ICS/OT

View CWE Details

https://github.com/barebox/barebox/commit/aca01795056d51060…

https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743…

https://github.com/barebox/barebox/security/advisories/GHSA…

https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4

CVE-2026-33243

Description

Insufficient Verification of Data Authenticity

Common Consequences

Applicable Platforms

Iscriviti alla newsletter