CVE-2026-33243 (GCVE-0-2026-33243)

Vulnerability from cvelistv5 – Published: 2026-03-20 22:51 – Updated: 2026-03-26 20:08
VLAI?
Title
barebox: FIT Signature Verification Bypass Vulnerability
Summary
barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.
Severity ?
8.3 (High)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
Impacted products
Vendor Product Version
barebox barebox Affected: >= 2016.03.0, < 2025.09.3
Affected: >= 2025.10.0, < 2026.03.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33243",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:31:22.066555Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:31:34.971Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "barebox",
          "vendor": "barebox",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2016.03.0, \u003c 2025.09.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2025.10.0, \u003c 2026.03.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T20:08:12.009Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"
        },
        {
          "name": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"
        }
      ],
      "source": {
        "advisory": "GHSA-3fvj-q26p-j6h4",
        "discovery": "UNKNOWN"
      },
      "title": "barebox: FIT Signature Verification Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33243",
    "datePublished": "2026-03-20T22:51:15.938Z",
    "dateReserved": "2026-03-18T02:42:27.509Z",
    "dateUpdated": "2026-03-26T20:08:12.009Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33243\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T23:16:47.167\",\"lastModified\":\"2026-03-26T21:17:05.430\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.\"},{\"lang\":\"es\",\"value\":\"barebox es un gestor de arranque. En barebox desde la versi\u00f3n 2016.03.0 hasta antes de la versi\u00f3n 2025.09.3 y desde la versi\u00f3n 2025.10.0 hasta antes de la versi\u00f3n 2026.03.1, al crear un FIT, mkimage(1) establece la propiedad hashed-nodes del nodo de firma FIT para listar qu\u00e9 nodos del FIT fueron hasheados como parte del proceso de firma, ya que estos deber\u00e1n ser verificados posteriormente por el gestor de arranque. Sin embargo, hashed-nodes en s\u00ed mismo no forma parte del hash y por lo tanto puede ser modificado por un atacante para enga\u00f1ar al gestor de arranque para que arranque im\u00e1genes diferentes a las que han sido verificadas. Este problema ha sido parcheado en las versiones de barebox 2025.09.3 y 2026.03.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2013.07\",\"versionEndExcluding\":\"2026.04\",\"matchCriteriaId\":\"73526136-D89A-4F96-AB26-FE78052494BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:denx:u-boot:2026.04:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"39D97BA6-0B7B-4633-971E-3C79C58A57A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:denx:u-boot:2026.04:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"94B93B6C-02D1-42C9-B862-C945511A0297\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:denx:u-boot:2026.04:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"86FAEAE1-FCD8-426D-9452-E1885014C9A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2016.03.0\",\"versionEndExcluding\":\"2025.09.3\",\"matchCriteriaId\":\"F9C10736-4F83-4DFE-B39D-8F93E6C8D55D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2025.10.0\",\"versionEndExcluding\":\"2026.03.1\",\"matchCriteriaId\":\"D19A8826-6289-4EEA-8093-8F92E7A66461\"}]}]}],\"references\":[{\"url\":\"https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33243\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T15:31:22.066555Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T15:31:31.448Z\"}}], \"cna\": {\"title\": \"barebox: FIT Signature Verification Bypass Vulnerability\", \"source\": {\"advisory\": \"GHSA-3fvj-q26p-j6h4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"barebox\", \"product\": \"barebox\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2016.03.0, \u003c 2025.09.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2025.10.0, \u003c 2026.03.1\"}]}], \"references\": [{\"url\": \"https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4\", \"name\": \"https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05\", \"name\": \"https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T20:08:12.009Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33243\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T20:08:12.009Z\", \"dateReserved\": \"2026-03-18T02:42:27.509Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T22:51:15.938Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.