CVE-2026-36175
Authentication Bypass in GNCC GP5 U-Boot
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gncc | gp5 | 7.1.76 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the U-Boot component of GNCC GP5 version 7.1.76. It allows attackers who have physical proximity to the device to bypass authentication mechanisms. They achieve this by interrupting the boot sequence and injecting a specially crafted string into the kernel boot arguments, which ultimately grants them root access.
How can this vulnerability impact me? :
The vulnerability can have severe impacts as it allows an attacker with physical access to gain root privileges on the affected device. This means the attacker can fully control the system, potentially leading to unauthorized data access, modification, or destruction, installation of malicious software, and disruption of normal device operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows physically-proximate attackers to bypass authentication and gain root access to the affected system. Such unauthorized access can lead to compromise of confidentiality, integrity, and availability of sensitive data.
As a result, organizations using the affected U-Boot component may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information against unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability allows physically-proximate attackers to bypass authentication by interrupting the boot sequence and injecting crafted strings into the kernel boot arguments.
Immediate mitigation steps include restricting physical access to the device to prevent attackers from interrupting the boot process.
If possible, disable any interfaces or methods that allow boot sequence interruption or injection of boot arguments.
Monitor for any unauthorized physical access and consider isolating affected devices from critical networks.