Description
Out-of-bounds Write vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regcomp.C.

This issue affects CloverBootloader: before 5162.
Published: 2026-01-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption via out‑of‑bounds write
Action: Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds write in the RegularExpressionDxe/Oniguruma modules of CloverBootloader, specifically within the regcomp.C runtime routine. The flaw can overwrite adjacent memory locations, potentially corrupting control data and causing the boot process to crash or behave unpredictably. The advisory does not state that code execution can be achieved, so any claim beyond memory corruption would be speculative.

Affected Systems

The issue exists in CloverHackyColor CloverBootloader releases before build 5162. Systems using those early builds remain vulnerable; builds from 5162 onward include the fix and are not affected.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity, while the EPSS score is below 1%, showing a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require delivering a crafted firmware image or modified bootloader to the system, representing a local or pre‑boot attack vector. Given the moderate severity and low likelihood of exploitation, administrators should prioritize applying the patch and monitor boot environments for abnormal activity.

Generated by OpenCVE AI on April 18, 2026 at 14:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CloverBootloader to build 5162 or later to apply the out‑of‑bounds write fix.
  • Verify that firmware images are signed and have not been tampered with before loading them onto the system.
  • If an update is not immediately possible, restrict boot media to trusted, signed sources and disable booting from unverified external devices.

Generated by OpenCVE AI on April 18, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cloverhackycolor
Cloverhackycolor cloverbootloader
Vendors & Products Cloverhackycolor
Cloverhackycolor cloverbootloader

Tue, 27 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Write vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regcomp.C. This issue affects CloverBootloader: before 5162.
Title An Out-of-bounds Write in CloverHackyColor/CloverBootloader
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Cloverhackycolor Cloverbootloader
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T21:38:51.796Z

Reserved: 2026-01-27T08:18:43.267Z

Link: CVE-2026-24795

cve-icon Vulnrichment

Updated: 2026-01-27T21:09:49.337Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:49.233

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses