CVE-2026-33243 - Vulnerability Details

- barebox: FIT Signature Verification Bypass Vulnerability

Description

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.

Published: 2026-03-20

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability permits an attacker to alter the signed image metadata so that the bootloader ignores integrity checks on certain firmware components and loads replacements that were not signed, facilitating the deployment of malicious firmware during system startup.

Affected Systems

Products impacted include the barebox bootloader from release 2016.03.0 up through 2026.03.0, as well as the backported 2025.09.3 build. Related U‑Boot releases from denx, such as the 2026.04 release candidates, and barebox images supplied by pengutronix are also affected.

Risk and Exploitability

Severity is high with a score of 8.3, and the likelihood of exploitation is low, noted as less than one percent. The flaw is not recorded in the known exploited vulnerabilities catalog. Exploitation would require the ability to construct or modify FIT images, typically through firmware modification or direct device access; the attack vector is therefore most likely local or physical.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

barebox

affected

Version	Status	Constraints
`>= 2016.03.0, < 2025.09.3`	affected	—
`>= 2025.10.0, < 2026.03.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:denx:u-boot::::::::
	cpe:2.3:a:denx:u-boot:2026.04:rc1::::::
	cpe:2.3:a:denx:u-boot:2026.04:rc2::::::
	cpe:2.3:a:denx:u-boot:2026.04:rc3::::::
	cpe:2.3:a:pengutronix:barebox::::::::
	cpe:2.3:a:pengutronix:barebox::::::::

No data.

Vendor Product Confidence Versions

Barebox

100%

Version	Status	Scheme	Platform
`[2016.03.0,2025.09.3)`	affected	semver	—
`[2025.10.0,2026.03.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patched barebox version 2026.03.1 or the backported 2025.09.3 release, or update affected U‑Boot builds that incorporate the fix.
Verify that firmware images are signed with the updated bootloader and that the hashed‑nodes field is immutable.
Monitor vendor advisories for future updates and ensure that any firmware flashing process validates authenticity before installation.

Generated by OpenCVE AI on March 26, 2026 at 22:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05
https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4

History

Thu, 26 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.	barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.

Wed, 25 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Denx Denx u-boot Pengutronix Pengutronix barebox
CPEs		cpe:2.3:a:denx:u-boot:::::::: cpe:2.3:a:denx:u-boot:2026.04:rc1:::::: cpe:2.3:a:denx:u-boot:2026.04:rc2:::::: cpe:2.3:a:denx:u-boot:2026.04:rc3:::::: cpe:2.3:a:pengutronix:barebox::::::::
Vendors & Products		Denx Denx u-boot Pengutronix Pengutronix barebox

Tue, 24 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Barebox Barebox barebox
Vendors & Products		Barebox Barebox barebox

Fri, 20 Mar 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.
Title		barebox: FIT Signature Verification Bypass Vulnerability
Weaknesses		CWE-345
References		https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05 https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Barebox Barebox

Denx U-boot

Pengutronix Barebox

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T22:51:15.938Z

Updated: 2026-03-26T20:08:12.009Z

Reserved: 2026-03-18T02:42:27.509Z

Link: CVE-2026-33243

Vulnrichment

Updated: 2026-03-24T15:31:31.448Z

NVD

Status : Modified

Published: 2026-03-20T23:16:47.167

Modified: 2026-03-26T21:17:05.430

Link: CVE-2026-33243

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:21:28Z

Weaknesses

CWE-345

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object