CVE-2026-35176
Heap Buffer Overflow in openFPGALoader POFParser Allows Memory Access
Publication date: 2026-04-06
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trabucayre | openfpgaloader | to 1.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in openFPGALoader allows an attacker to cause out-of-bounds heap memory reads, potentially leading to information disclosure by leaking heap memory contents. This leakage of sensitive data could pose risks related to confidentiality, which is a key concern in compliance with standards such as GDPR and HIPAA.
Since the vulnerability can result in unauthorized disclosure of memory contents, it may impact compliance with regulations that require protection of sensitive or personal data. However, the advisory does not explicitly mention specific compliance impacts or affected data types.
Can you explain this vulnerability to me?
CVE-2026-35176 is a heap-buffer-overflow read vulnerability in the openFPGALoader utility, specifically in the function POFParser::parseSection() when parsing crafted .pof files.
The vulnerability occurs because the parser reads a 32-bit size field from the .pof file without checking if this size exceeds the actual file buffer size. This leads to an out-of-bounds read from heap memory.
When handling a specific section type (0x11), the code resizes a vector to the attacker-controlled size and copies data from the file buffer to this vector without validating boundaries, causing the overflow.
This can cause information disclosure or program crashes, and no FPGA hardware is required to trigger the vulnerability.
How can this vulnerability impact me? :
An attacker can craft malicious .pof files that cause openFPGALoader to read beyond the intended buffer, leading to leakage of heap memory contents.
This leaked data may be written to FPGA hardware or output files, posing a supply-chain risk in FPGA projects.
The vulnerability can also cause application crashes, impacting availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the openFPGALoader utility with crafted .pof files that specify an invalidly large section size, causing a heap-buffer-overflow read. A proof-of-concept minimal .pof file (50 bytes) exists that triggers the issue by specifying a section size of 65536 bytes while the file is only 50 bytes long.
Running openFPGALoader with AddressSanitizer (ASAN) enabled on such crafted files can reveal heap-buffer-overflow read errors.
Suggested command to detect the vulnerability using ASAN (assuming openFPGALoader is compiled with ASAN support):
- ASAN_OPTIONS=detect_stack_use_after_return=1 ./openFPGALoader path/to/crafted.pof
If ASAN is not available, monitoring for crashes or abnormal behavior when parsing suspicious .pof files locally can also indicate the presence of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of untrusted or unauthenticated .pof files with openFPGALoader, as the vulnerability is triggered by crafted .pof files.
Since no patched versions are available at the time of the advisory, users should restrict access to openFPGALoader and ensure only trusted sources provide .pof files.
Additionally, running openFPGALoader in a sandboxed or isolated environment can limit the impact of potential crashes or information disclosure.