{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33243", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-20T22:51:15.938Z", "dateUpdated": "2026-03-24T15:31:34.971Z"}, "containers": {"cna": {"title": "barebox: FIT Signature Verification Bypass Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"}, {"name": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "tags": ["x_refsource_MISC"], "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"}], "affected": [{"vendor": "barebox", "product": "barebox", "versions": [{"version": ">= 2016.03.0, < 2025.09.3", "status": "affected"}, {"version": ">= 2025.10.0, < 2026.03.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:51:15.938Z"}, "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}], "source": {"advisory": "GHSA-3fvj-q26p-j6h4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:31:22.066555Z", "id": "CVE-2026-33243", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:31:34.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T15:31:22.066555Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:31:31.448Z"}}], "cna": {"title": "barebox: FIT Signature Verification Bypass Vulnerability", "source": {"advisory": "GHSA-3fvj-q26p-j6h4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "barebox", "product": "barebox", "versions": [{"status": "affected", "version": ">= 2016.03.0, < 2025.09.3"}, {"status": "affected", "version": ">= 2025.10.0, < 2026.03.1"}]}], "references": [{"url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "name": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "name": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:51:15.938Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33243", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:31:34.971Z", "dateReserved": "2026-03-18T02:42:27.509Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T22:51:15.938Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "73526136-D89A-4F96-AB26-FE78052494BA", "versionEndExcluding": "2026.04", "versionStartIncluding": "2013.07", "vulnerable": true}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc1:*:*:*:*:*:*", "matchCriteriaId": "39D97BA6-0B7B-4633-971E-3C79C58A57A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc2:*:*:*:*:*:*", "matchCriteriaId": "94B93B6C-02D1-42C9-B862-C945511A0297", "vulnerable": true}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc3:*:*:*:*:*:*", "matchCriteriaId": "86FAEAE1-FCD8-426D-9452-E1885014C9A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9C10736-4F83-4DFE-B39D-8F93E6C8D55D", "versionEndExcluding": "2025.09.3", "versionStartIncluding": "2016.03.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "matchCriteriaId": "D19A8826-6289-4EEA-8093-8F92E7A66461", "versionEndExcluding": "2026.03.1", "versionStartIncluding": "2025.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}, {"lang": "es", "value": "barebox es un gestor de arranque. En barebox desde la versi\u00f3n 2016.03.0 hasta antes de la versi\u00f3n 2025.09.3 y desde la versi\u00f3n 2025.10.0 hasta antes de la versi\u00f3n 2026.03.1, al crear un FIT, mkimage(1) establece la propiedad hashed-nodes del nodo de firma FIT para listar qu\u00e9 nodos del FIT fueron hasheados como parte del proceso de firma, ya que estos deber\u00e1n ser verificados posteriormente por el gestor de arranque. Sin embargo, hashed-nodes en s\u00ed mismo no forma parte del hash y por lo tanto puede ser modificado por un atacante para enga\u00f1ar al gestor de arranque para que arranque im\u00e1genes diferentes a las que han sido verificadas. Este problema ha sido parcheado en las versiones de barebox 2025.09.3 y 2026.03.1."}], "id": "CVE-2026-33243", "lastModified": "2026-03-25T19:26:15.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:47.167", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2016.03.0,2025.09.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.10.0,2026.03.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "barebox", "source": "cna", "vendor": "barebox"}, "product": "barebox", "vendor": "barebox"}], "analysis": {"en": {"generated_at": "2026-03-25T20:33:33.847629+00:00", "value": {"mitigation_remediation": ["Upgrade barebox to version 2025.09.3 or later, or 2026.03.1 or later.", "Rebuild and redeploy all FIT images using the patched mkimage tool to ensure the hashed\u2011nodes property is accurate.", "If upgrade is not immediately possible, consider disabling FIT signature verification or deploying a separate verification mechanism on the host.", "Verify that the device boots with the updated bootloader and monitor for unexpected boot events."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Image Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects barebox bootloader versions from 2016.03.0 up to but excluding 2025.09.3, and again from 2025.10.0 up to but excluding 2026.03.1. The affected product is barebox, a bootloader developed by Denx. Vendors using older versions of barebox should review their firmware images against these ranges. The issue has been fixed in barebox 2025.09.3 and 2026.03.1, so upgrading to those releases removes the risk.", "description_and_impact": "The vulnerability arises from a flaw in the FIT image signing process. The mkimage tool records which nodes were hashed in a property that is not part of the hash itself, allowing an attacker to modify the list after signing. During boot, the loader trusts this list and verifies only the specified nodes, meaning it can boot images that have not actually been signed. This allows an adversary to load malicious firmware, resulting in unauthorized execution and full compromise of the device. The weakness is classified as CWE\u2011345 and is rated with a high CVSS score of 8.3.", "risk_and_exploitability": "With a CVSS score of 8.3 the flaw is considered high severity, yet its EPSS score is below 1%, indicating low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to craft or modify a FIT image and supply it to the device, a scenario that is likely limited to physical or privileged access to the boot medium. No remote attack vector is identified from the available information. Once deployed, the attacker can execute arbitrary code with the privileges of the bootloader, effectively compromising the entire system."}}}}, "created": "2026-03-23T09:52:12.141000+00:00", "updated": "2026-03-25T21:28:14.309518+00:00", "vendors": ["barebox", "barebox$PRODUCT$barebox"]}