CVE-2026-33243
Received Received - Intake
Hash Manipulation in barebox FIT Signature Allows Boot Bypass

Publication date: 2026-03-20

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33243
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
denx u-boot From 2013.07 (inc) to 2026.04 (exc)
denx u-boot 2026.04
denx u-boot 2026.04
denx u-boot 2026.04
pengutronix barebox From 2016.03.0 (inc) to 2025.09.3 (exc)
pengutronix barebox From 2025.10.0 (inc) to 2026.03.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the barebox bootloader versions from 2016.03.0 to before 2025.09.3 and from 2025.10.0 to before 2026.03.1. When creating a FIT (Flattened Image Tree), the mkimage tool sets a property called hashed-nodes in the FIT signature node. This property lists which nodes of the FIT were hashed during the signing process and are expected to be verified by the bootloader later.

However, the hashed-nodes property itself is not included in the hash. This means an attacker can modify the hashed-nodes property to mislead the bootloader into booting images that were not actually verified, potentially bypassing security checks.

This issue has been fixed in barebox versions 2025.09.3 and 2026.03.1.

Impact Analysis

This vulnerability can allow an attacker with local access and high privileges to modify the hashed-nodes property in the FIT signature node, causing the bootloader to boot unverified or malicious images.

As a result, the attacker could execute unauthorized code during the boot process, potentially leading to full system compromise, loss of confidentiality, integrity, and availability of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade barebox to a patched version. The issue has been fixed in barebox versions 2025.09.3 and 2026.03.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart