Description
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in POFParser::parseSection() that allows out-of-bounds heap memory access when parsing a crafted .pof file. No FPGA hardware is required to trigger this vulnerability.
Published: 2026-04-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow
Action: Apply Patch
AI Analysis

Impact

openFPGALoader, a command‑line tool for programming FPGAs, contains a heap‑buffer‑overflow read in the POFParser::parseSection() routine. When it parses a specially crafted .pof file, the parser accesses memory beyond the bounds of an allocated buffer. The vulnerability does not require any FPGA hardware to trigger and can simply be exercised by running the utility against a maliciously crafted file. The out‑of‑bounds read may expose sensitive data that resides on the heap, potentially leading to information disclosure or, if the heap is overwritten, a crash or other downstream failures.

Affected Systems

The flaw affects trabucayre:openFPGALoader versions 1.1.1 and earlier. Upgrading to any release newer than 1.1.1 removes the vulnerable code path. No other vendor or product is directly impacted by this issue.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high‑risk flaw. No exploit probability was reported and the vulnerability is not listed in CISA’s KEV catalog. Because the attack only requires a crafted .pof file and can be exercised locally by anyone who can run openFPGALoader, the attack vector is inferred to be local or remote code running on the same system. An attacker could obtain confidential data from the process’s memory or cause denial of service by crashing the program.

Generated by OpenCVE AI on April 7, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current openFPGALoader version you are running.
  • If the version is 1.1.1 or older, update to the latest release available from the project’s repository.
  • Verify that any third‑party .pof files are from trusted sources before loading them with openFPGALoader.
  • Consider disabling or restricting execution of openFPGALoader if it is not required in your environment.
  • Keep the system’s software stack updated to benefit from future security patches.

Generated by OpenCVE AI on April 7, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Trabucayre
Trabucayre openfpgaloader
Vendors & Products Trabucayre
Trabucayre openfpgaloader

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in POFParser::parseSection() that allows out-of-bounds heap memory access when parsing a crafted .pof file. No FPGA hardware is required to trigger this vulnerability.
Title openFPGALoader has a heap buffer overflow in POFParser::parseSection() via crafted .pof file
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Subscriptions

Trabucayre Openfpgaloader
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:10:26.593Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35176

cve-icon Vulnrichment

Updated: 2026-04-07T15:06:41.933Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T20:16:25.773

Modified: 2026-04-07T16:16:25.267

Link: CVE-2026-35176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:40Z

Weaknesses