Description
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability.
Published: 2026-04-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap buffer overflow read vulnerability (out‑of‑bounds heap read)
Action: Patch
AI Analysis

Impact

openFPGALoader, a tool for programming FPGAs, contains a heap‑buffer‑overflow read in BitParser::parseHeader(). When the program parses a specially crafted .bit file, it can read memory beyond intended bounds. The flaw is a read‑only out‑of‑bounds access; the description does not indicate code execution, but the vulnerability could allow an attacker to reveal sensitive memory contents.

Affected Systems

The vulnerability affects the trabucayre openFPGALoader utility. Versions 1.1.1 and prior are impacted. Any system running those versions, regardless of whether FPGA hardware is connected, is susceptible to the flaw because the heap read occurs during file parsing.

Risk and Exploitability

The CVSS score of 7.1 suggests moderate‑to‑high risk. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is local or remote file‑processing; an attacker who can supply a malicious .bit file to the vulnerable program can trigger the out‑of‑bounds read. No specific hardware or additional conditions are required to exploit the flaw. The impact is primarily information disclosure of arbitrary heap data, potentially leading to further attacks if the information is valuable.

Generated by OpenCVE AI on April 7, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of openFPGALoader that removes the heap‑buffer‑overflow read in BitParser::parseHeader()
  • Avoid loading or parsing .bit files from untrusted sources until a patch is applied
  • Monitor the trabucayre GitHub repository or security advisories for further updates or patches

Generated by OpenCVE AI on April 7, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Trabucayre
Trabucayre openfpgaloader
Vendors & Products Trabucayre
Trabucayre openfpgaloader

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability.
Title openFPGALoader has a heap buffer overflow in BitParser::parseHeader() via crafted .bit file
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Subscriptions

Trabucayre Openfpgaloader
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:10:56.071Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35170

cve-icon Vulnrichment

Updated: 2026-04-07T15:10:52.419Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:25.450

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:43Z

Weaknesses