Description
barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.
Published: 2026-05-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in barebox’s parsing of ext4 extent structures. When the eh_entries value is not validated against the buffer size in fs/ext4/ext4_common.c, an attacker can supply a crafted ext4 image via USB, SD card, or network boot that triggers a heap out-of-bounds read during boot-time parsing. This may cause the kernel to read memory at arbitrary disk offsets, potentially exposing sensitive data or facilitating further compromise.

Affected Systems

All barebox releases before v2026.04.0 are affected. The vulnerability is documented for the barebox:barebox product line and impacts any embedded device that boots from ext4 images using external media or network boot.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk; the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known public exploits. The attack vector requires physical or network boot access to supply a malicious filesystem. While the risk is not high, the possibility of data disclosure warrants prompt remediation.

Generated by OpenCVE AI on May 12, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to barebox version 2026.04.0 or later to patch the boundary validation flaw.
  • Verify that all boot images come from a trusted source by employing digital signatures or integrity checks before the boot process.
  • Restrict or disable booting from USB, SD card, or network sources that are not required for normal operation, enforcing access controls to prevent insertion of malicious media.

Generated by OpenCVE AI on May 12, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Barebox
Barebox barebox
Vendors & Products Barebox
Barebox barebox

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.
Title barebox ext4 Extent Parsing Out-of-Bounds Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Barebox Barebox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T14:28:22.639Z

Reserved: 2026-03-31T17:58:43.754Z

Link: CVE-2026-34961

cve-icon Vulnrichment

Updated: 2026-05-12T13:39:18.204Z

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:11.000

Modified: 2026-05-11T22:22:11.000

Link: CVE-2026-34961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:07Z

Weaknesses