216.73.217.50

CVE-2026-33243

· Published 20/03/2026 23:16 · Modified 20/03/2026 23:16

Labels: CVE-2026-33243 2026-03-20CVE-2026-33243CWE-345[email protected]

Essential information

Published
20/03/2026 23:16
Modified
20/03/2026 23:16
Author
Creator
CVSS
8.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
barebox / barebox cpe:2.3:a:barebox:barebox:2016.03.0-<2025.09.3:*:*:*:*:*:*:*
barebox / barebox cpe:2.3:a:barebox:barebox:2025.10.0-<2026.03.1:*:*:*:*:*:*:*
barebox / barebox cpe:2.3:a:barebox:barebox:2025.09.3:*:*:*:*:*:*:*
barebox / barebox cpe:2.3:a:barebox:barebox:2026.03.1:*:*:*:*:*:*:*

References