Description
barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.
Published: 2026-05-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in the EFI PE loader's calculation of virtual image size, where 32‑bit arithmetic on section VirtualAddress and size values allows an undersized heap allocation. The loader also fails to verify that PointerToRawData plus the copied size remains inside the PE file buffer. As a result, an attacker supplying a crafted EFI PE binary can cause a heap buffer overflow or out‑of‑bounds read and potentially execute arbitrary code in the bootloader context.

Affected Systems

The flaw affects barebox firmware versions prior to v2026.04.0. The affected vendor is barebox:barebox. Any installation of these legacy firmware images that can be booted from TFTP, USB, SD card, or over the network is subject to this weakness.

Risk and Exploitability

The CVSS score of 8.6 denotes high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is feasible because a malicious EFI PE file can be delivered via common boot media such as TFTP, USB, SD card, or network boot. The impact, if exploited, is code execution at the bootloader level, which could compromise the entire system before the operating system loads.

Generated by OpenCVE AI on May 12, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update barebox to version 2026.04.0 or newer, which corrects the integer overflow and adds bounds checks to the PE loader.
  • Disable or restrict boot modes that load EFI binaries from untrusted sources (e.g., TFTP, network boot, or unknown USB/SD media) until the firmware is patched.
  • If an immediate firmware upgrade is not possible, monitor boot logs for abnormal memory access errors and ensure that only signed, verified firmware binaries are used.

Generated by OpenCVE AI on May 12, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Barebox
Barebox barebox
Vendors & Products Barebox
Barebox barebox

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.
Title barebox EFI PE Loader Memory Safety Vulnerabilities
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Barebox Barebox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T14:29:59.597Z

Reserved: 2026-03-31T17:58:43.754Z

Link: CVE-2026-34963

cve-icon Vulnrichment

Updated: 2026-05-12T12:50:59.362Z

cve-icon NVD

Status : Received

Published: 2026-05-11T23:19:47.950

Modified: 2026-05-11T23:19:47.950

Link: CVE-2026-34963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:07Z

Weaknesses