CVE-2026-6862 - Vulnerability Details

- Efivar: efivar: denial of service due to stack overflow in device path node parsing

Description

A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Published: 2026-04-22

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in libefiboot, a component of efivar, occurs when the device path node parser fails to ensure that each node’s Length field is at least 4 bytes, the minimum size for an EFI device path node header. This defect allows a specially crafted device path node to trigger infinite recursion, exhausting the stack and crashing the process. The resultant denial of service can cripple applications that depend on efivar and may impact system stability if the crashed process is critical.

Affected Systems

The vulnerability affects multiple Red Hat products, including Red Hat Enterprise Linux 10, 7, 8, 9 and Red Hat OpenShift Container Platform 4.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a local user able to supply a crafted device path node, so the attack vector is inferred to be local. No remote or privilege‑escalation vector is documented. Given the moderate score and local nature, the risk is present but limited to systems that run vulnerable versions of libefiboot and accept handcrafted device paths.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Enterprise Linux 10	unknown	—
Red Hat	Red Hat Enterprise Linux 7	unknown	—
Red Hat	Red Hat Enterprise Linux 8	unknown	—
Red Hat	Red Hat Enterprise Linux 9	unknown	—
Red Hat	Red Hat OpenShift Container Platform 4	unknown	—

No data.

No data available yet.

Remediation

Vendor Workaround

Applications using efi_loadopt_is_valid() should validate the size of the input buffer before passing it to libefiboot. As a library-level fix, the device path iterator should enforce a minimum node Length of 4 before recursing: if (dp->length < 4) return -1;

OpenCVE Recommended Actions

Install the latest Red Hat package update for libefiboot that includes the node length validation fix for RHEL 7 through 10 and OpenShift 4.
If no update is available yet, modify applications that call efi_loadopt_is_valid() to validate the size of the input buffer before requesting libefiboot to process it.
At the library level, patch libefiboot so that the device path iterator checks that each node’s Length field is at least 4 bytes and returns an error if it is not to prevent stack exhaustion.

Generated by OpenCVE AI on April 22, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-6862
https://bugzilla.redhat.com/show_bug.cgi?id=2459982

History

Wed, 22 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).
Title		Efivar: efivar: denial of service due to stack overflow in device path node parsing
First Time appeared		Redhat Redhat enterprise Linux Redhat openshift
Weaknesses		CWE-674
CPEs		cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2026-6862 https://bugzilla.redhat.com/show_bug.cgi?id=2459982
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Redhat Enterprise Linux Openshift

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-04-22T13:45:45.503Z

Updated: 2026-04-22T14:28:14.132Z

Reserved: 2026-04-22T13:19:59.764Z

Link: CVE-2026-6862

Vulnrichment

Updated: 2026-04-22T14:28:06.496Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:17:08.060

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-6862

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses

CWE-674

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object