Description
barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesystem image with a crafted directory entry containing a direntlen value of 0 to cause an infinite loop during directory listing or path resolution, resulting in the boot process hanging indefinitely.
Published: 2026-05-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in barebox’s ext4 directory parsing allows a crafted filesystem image to cause the boot process to hang indefinitely. The ext4fs_iterate_dir() routine does not check that directory entry length values are non‑zero, so a malicious entry with a zero length can trigger an infinite loop while listing a directory or resolving a path. This results in a denial of service that halts the system before it can fully boot. The vulnerability is identified as CWE‑835, reflecting an infinite loop flaw.

Affected Systems

All barebox releases prior to 2026.04.0 are affected. The issue resides in the barebox:barebox product line and applies to any firmware version that includes the ext4 file system support without the patch introduced in the 2026.04.0 release.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread exploitation. The most apparent attack vector is the introduction of a malicious ext4 image during the boot sequence; thus the risk is confined to environments that boot from untrusted or user‑supplied images. Exploitation leads to a boot hang rather than privilege escalation or data compromise, limiting the impact to availability issues for the affected system.

Generated by OpenCVE AI on May 12, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official barebox 2026.04.0 or newer upgrade, which adds validation that directory entry lengths are non‑zero and resolves the CWE‑835 infinite loop flaw.
  • Validate boot images using cryptographic signatures or checksums to detect malicious directory entries that could trigger the infinite loop flaw.
  • Enforce secure boot or restrict boot media to trusted images, limiting the possibility of loading a crafted ext4 image that exploits the infinite loop defect.

Generated by OpenCVE AI on May 12, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Barebox
Barebox barebox
Vendors & Products Barebox
Barebox barebox

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesystem image with a crafted directory entry containing a direntlen value of 0 to cause an infinite loop during directory listing or path resolution, resulting in the boot process hanging indefinitely.
Title barebox ext4 Directory Parsing Infinite Loop Denial of Service
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Barebox Barebox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T14:28:59.013Z

Reserved: 2026-03-31T17:58:43.754Z

Link: CVE-2026-34962

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T23:19:47.813

Modified: 2026-05-11T23:19:47.813

Link: CVE-2026-34962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:07Z

Weaknesses