CVE-2026-34960
Out-of-Bounds Read in barebox DHCP Option Parsing
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| barebox | barebox | to 2026.04.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The primary impact of this vulnerability is that an attacker on the same broadcast domain can cause the affected system to crash by sending a malicious DHCP packet. This can lead to denial of service conditions, potentially disrupting normal operations of the device running barebox.
Can you explain this vulnerability to me?
This vulnerability exists in barebox versions prior to 2026.04.0 and involves an out-of-bounds read in the DHCP option parsing process. Specifically, the dhcp_message_type() function does not properly verify that the options pointer stays within the bounds of the received DHCP packet. An attacker on the same broadcast domain can exploit this by sending a specially crafted DHCP Offer or ACK packet that lacks a proper 0xff end marker, causing the parser to read beyond the valid packet data.
This out-of-bounds read can lead to the system crashing.