CVE-2026-33243
Received Received - Intake
Hash Manipulation in barebox FIT Signature Allows Boot Bypass

Publication date: 2026-03-20

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-26
Generated
2026-05-27
AI Q&A
2026-03-21
EPSS Evaluated
2026-05-25
NVD
CVE-2026-33243
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
denx u-boot From 2013.07 (inc) to 2026.04 (exc)
denx u-boot 2026.04
denx u-boot 2026.04
denx u-boot 2026.04
pengutronix barebox From 2016.03.0 (inc) to 2025.09.3 (exc)
pengutronix barebox From 2025.10.0 (inc) to 2026.03.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the barebox bootloader versions from 2016.03.0 to before 2025.09.3 and from 2025.10.0 to before 2026.03.1. When creating a FIT (Flattened Image Tree), the mkimage tool sets a property called hashed-nodes in the FIT signature node. This property lists which nodes of the FIT were hashed during the signing process and are expected to be verified by the bootloader later.

However, the hashed-nodes property itself is not included in the hash. This means an attacker can modify the hashed-nodes property to mislead the bootloader into booting images that were not actually verified, potentially bypassing security checks.

This issue has been fixed in barebox versions 2025.09.3 and 2026.03.1.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with local access and high privileges to modify the hashed-nodes property in the FIT signature node, causing the bootloader to boot unverified or malicious images.

As a result, the attacker could execute unauthorized code during the boot process, potentially leading to full system compromise, loss of confidentiality, integrity, and availability of the system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade barebox to a patched version. The issue has been fixed in barebox versions 2025.09.3 and 2026.03.1.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart