{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33243", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-20T22:51:15.938Z", "dateUpdated": "2026-03-26T20:08:12.009Z"}, "containers": {"cna": {"title": "barebox: FIT Signature Verification Bypass Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"}, {"name": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "tags": ["x_refsource_MISC"], "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"}], "affected": [{"vendor": "barebox", "product": "barebox", "versions": [{"version": ">= 2016.03.0, < 2025.09.3", "status": "affected"}, {"version": ">= 2025.10.0, < 2026.03.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:08:12.009Z"}, "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3."}], "source": {"advisory": "GHSA-3fvj-q26p-j6h4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:31:22.066555Z", "id": "CVE-2026-33243", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:31:34.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T15:31:22.066555Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:31:31.448Z"}}], "cna": {"title": "barebox: FIT Signature Verification Bypass Vulnerability", "source": {"advisory": "GHSA-3fvj-q26p-j6h4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "barebox", "product": "barebox", "versions": [{"status": "affected", "version": ">= 2016.03.0, < 2025.09.3"}, {"status": "affected", "version": ">= 2025.10.0, < 2026.03.1"}]}], "references": [{"url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "name": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "name": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:51:15.938Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33243", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:31:34.971Z", "dateReserved": "2026-03-18T02:42:27.509Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T22:51:15.938Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "73526136-D89A-4F96-AB26-FE78052494BA", "versionEndExcluding": "2026.04", "versionStartIncluding": "2013.07", "vulnerable": true}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc1:*:*:*:*:*:*", "matchCriteriaId": "39D97BA6-0B7B-4633-971E-3C79C58A57A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc2:*:*:*:*:*:*", "matchCriteriaId": "94B93B6C-02D1-42C9-B862-C945511A0297", "vulnerable": true}, {"criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc3:*:*:*:*:*:*", "matchCriteriaId": "86FAEAE1-FCD8-426D-9452-E1885014C9A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9C10736-4F83-4DFE-B39D-8F93E6C8D55D", "versionEndExcluding": "2025.09.3", "versionStartIncluding": "2016.03.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "matchCriteriaId": "D19A8826-6289-4EEA-8093-8F92E7A66461", "versionEndExcluding": "2026.03.1", "versionStartIncluding": "2025.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}, {"lang": "es", "value": "barebox es un gestor de arranque. En barebox desde la versi\u00f3n 2016.03.0 hasta antes de la versi\u00f3n 2025.09.3 y desde la versi\u00f3n 2025.10.0 hasta antes de la versi\u00f3n 2026.03.1, al crear un FIT, mkimage(1) establece la propiedad hashed-nodes del nodo de firma FIT para listar qu\u00e9 nodos del FIT fueron hasheados como parte del proceso de firma, ya que estos deber\u00e1n ser verificados posteriormente por el gestor de arranque. Sin embargo, hashed-nodes en s\u00ed mismo no forma parte del hash y por lo tanto puede ser modificado por un atacante para enga\u00f1ar al gestor de arranque para que arranque im\u00e1genes diferentes a las que han sido verificadas. Este problema ha sido parcheado en las versiones de barebox 2025.09.3 y 2026.03.1."}], "id": "CVE-2026-33243", "lastModified": "2026-03-25T19:26:15.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:47.167", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}