Description
barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type() function that fails to verify the options pointer remains within received packet bounds. An attacker on the same broadcast domain can send a crafted DHCP Offer or ACK packet without a proper 0xff end marker to cause the parser to read past valid packet data and potentially crash the system.
Published: 2026-05-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the DHCP option parsing logic of barebox, specifically in the dhcp_message_type() function. When a packet lacks the proper end marker, the parser accesses memory beyond the packet bounds, which can result in a crash and, in some configurations, expose unread memory contents. The flaw is a classic off‑by‑one or buffer underrun weakness (CWE‑125).

Affected Systems

barebox:barebox is affected. All builds older than version 2026.04.0 contain the unpatched code. Devices that use these earlier barebox releases and receive DHCP traffic are vulnerable.

Risk and Exploitability

The CVSS score is 7.1, indicating a high impact threat. EPSS data is unavailable, but the scheduler does not list this vulnerability in KEV. The attack requires the ability to send a crafted DHCP Offer or ACK packet on the same broadcast domain, meaning a local network adversary can exploit the flaw without any privileged access. Successful exploitation would likely cause a denial‑of‑service or, if memory leakage occurs, could provide sensitive information.

Generated by OpenCVE AI on May 11, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install barebox release 2026.04.0 or later to remove the vulnerable parser logic.
  • If an upgrade cannot be performed immediately, isolate the affected device from the broadcast domain and deny inbound DHCP traffic to prevent the crafted packets from reaching it.
  • Implement packet inspection or filtering to detect and drop malformed DHCP Offer or ACK packets that lack the correct 0xff end marker, mitigating exploitation while a fix is applied.

Generated by OpenCVE AI on May 11, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Barebox
Barebox barebox
Vendors & Products Barebox
Barebox barebox

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type() function that fails to verify the options pointer remains within received packet bounds. An attacker on the same broadcast domain can send a crafted DHCP Offer or ACK packet without a proper 0xff end marker to cause the parser to read past valid packet data and potentially crash the system.
Title barebox Out-of-Bounds Read in DHCP Option Parsing
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Barebox Barebox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T14:27:53.205Z

Reserved: 2026-03-31T17:58:43.754Z

Link: CVE-2026-34960

cve-icon Vulnrichment

Updated: 2026-05-12T13:21:02.236Z

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:10.847

Modified: 2026-05-11T22:22:10.847

Link: CVE-2026-34960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:45:02Z

Weaknesses