CVE-2026-34962
Denial-of-Service in barebox via Ext4 Directory Parsing
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| barebox | barebox | to 2026.04.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in barebox versions prior to 2026.04.0 and involves a flaw in the ext4 directory parsing code. Specifically, the function ext4fs_iterate_dir() in fs/ext4/ext4_common.c does not properly check that directory entry length values are non-zero. An attacker can create a malicious ext4 filesystem image with a crafted directory entry where the length value (direntlen) is zero. When the system tries to list directories or resolve paths using this filesystem, it can enter an infinite loop, causing the boot process to hang indefinitely.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial-of-service condition. By supplying a specially crafted ext4 filesystem image, an attacker can cause the system's boot process to hang indefinitely due to an infinite loop during directory listing or path resolution. This can prevent the system from starting properly, leading to downtime and potential disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a denial-of-service in barebox versions prior to 2026.04.0 caused by improper validation of directory entry lengths in ext4 filesystem parsing.
To detect if your system is vulnerable, you should first verify the barebox version running on your device.
- Check barebox version with the command: barebox --version
- If the version is prior to 2026.04.0, your system is potentially vulnerable.
Since the vulnerability is triggered by a crafted ext4 filesystem image with a directory entry length of zero, you can also inspect ext4 filesystem images for such malformed directory entries using filesystem analysis tools.
- Use debugfs or similar tools to examine directory entries in ext4 images.
- Example command: debugfs /path/to/ext4_image
However, no specific detection commands for the crafted direntlen=0 condition are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade barebox to version 2026.04.0 or later, where this vulnerability has been fixed.
Until an upgrade is possible, avoid using untrusted or potentially malicious ext4 filesystem images that could contain crafted directory entries with zero length.
Additionally, monitor boot processes for hangs or infinite loops during directory listing or path resolution as indicators of exploitation attempts.