Executive Summary

CVE-2026-35176 is a heap-buffer-overflow read vulnerability in the openFPGALoader utility, specifically in the function POFParser::parseSection() when parsing crafted .pof files.

The vulnerability occurs because the parser reads a 32-bit size field from the .pof file without checking if this size exceeds the actual file buffer size. This leads to an out-of-bounds read from heap memory.

When handling a specific section type (0x11), the code resizes a vector to the attacker-controlled size and copies data from the file buffer to this vector without validating boundaries, causing the overflow.

This can cause information disclosure or program crashes, and no FPGA hardware is required to trigger the vulnerability.

Useful 0 Not Useful 0

Impact Analysis

An attacker can craft malicious .pof files that cause openFPGALoader to read beyond the intended buffer, leading to leakage of heap memory contents.

This leaked data may be written to FPGA hardware or output files, posing a supply-chain risk in FPGA projects.

The vulnerability can also cause application crashes, impacting availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the openFPGALoader utility with crafted .pof files that specify an invalidly large section size, causing a heap-buffer-overflow read. A proof-of-concept minimal .pof file (50 bytes) exists that triggers the issue by specifying a section size of 65536 bytes while the file is only 50 bytes long.

Running openFPGALoader with AddressSanitizer (ASAN) enabled on such crafted files can reveal heap-buffer-overflow read errors.

Suggested command to detect the vulnerability using ASAN (assuming openFPGALoader is compiled with ASAN support):

• ASAN_OPTIONS=detect_stack_use_after_return=1 ./openFPGALoader path/to/crafted.pof

If ASAN is not available, monitoring for crashes or abnormal behavior when parsing suspicious .pof files locally can also indicate the presence of this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of untrusted or unauthenticated .pof files with openFPGALoader, as the vulnerability is triggered by crafted .pof files.

Since no patched versions are available at the time of the advisory, users should restrict access to openFPGALoader and ensure only trusted sources provide .pof files.

Additionally, running openFPGALoader in a sandboxed or isolated environment can limit the impact of potential crashes or information disclosure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in openFPGALoader allows an attacker to cause out-of-bounds heap memory reads, potentially leading to information disclosure by leaking heap memory contents. This leakage of sensitive data could pose risks related to confidentiality, which is a key concern in compliance with standards such as GDPR and HIPAA.

Since the vulnerability can result in unauthorized disclosure of memory contents, it may impact compliance with regulations that require protection of sensitive or personal data. However, the advisory does not explicitly mention specific compliance impacts or affected data types.

Useful 0 Not Useful 0