CVE-2026-33243

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33243

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33243.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33243

Aliases

GHSA-3fvj-q26p-j6h4

Downstream

DEBIAN-CVE-2026-33243

OESA-2026-1834

Published

2026-03-20T22:51:15.938Z

Modified

2026-04-10T05:43:19.793153Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

barebox: FIT Signature Verification Bypass Vulnerability

Details

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.

Database specific

{
    "cwe_ids": [
        "CWE-345"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33243.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/barebox/barebox

Affected ranges

Type

GIT

Repo

https://github.com/barebox/barebox

Events

Introduced

1d8493e63b13954cb16d0304285271dfac208758

Fixed

51e471d3e84e105e906dd449179f53a5e5c63847

Database specific

{
    "versions": [
        {
            "introduced": "2016.03.0"
        },
        {
            "fixed": "2025.09.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/barebox/barebox

Events

Introduced

1f40283a172d1c4b81befe5745a85027a5607551

Fixed

1d386a53086d28a0c4eda138ae9408a418b97b7e

Database specific

{
    "versions": [
        {
            "introduced": "2025.10.0"
        },
        {
            "fixed": "2026.03.1"
        }
    ]
}

Affected versions

v2016.*

v2016.03.0

v2016.04.0

v2016.05.0

v2016.06.0

v2016.07.0

v2016.08.0

v2016.09.0

v2016.10.0

v2016.11.0

v2017.*

v2017.01.0

v2017.02.0

v2017.03.0

v2017.04.0

v2017.05.0

v2017.06.0

v2017.07.0

v2017.08.0

v2017.09.0

v2017.10.0

v2017.11.0

v2017.12.0

v2018.*

v2018.01.0

v2018.02.0

v2018.03.0

v2018.04.0

v2018.05.0

v2018.06.0

v2018.07.0

v2018.08.0

v2018.09.0

v2018.10.0

v2018.11.0

v2018.12.0

v2019.*

v2019.01.0

v2019.02.0

v2019.03.0

v2019.04.0

v2019.05.0

v2019.06.0

v2019.07.0

v2019.08.0

v2019.09.0

v2019.10.0

v2019.11.0

v2019.12.0

v2020.*

v2020.01.0

v2020.02.0

v2020.03.0

v2020.04.0

v2020.05.0

v2020.06.0

v2020.07.0

v2020.08.0

v2020.09.0

v2020.10.0

v2020.11.0

v2020.12.0

v2021.*

v2021.01.0

v2021.02.0

v2021.03.0

v2021.05.0

v2021.06.0

v2021.07.0

v2021.08.0

v2021.10.0

v2021.11.0

v2021.12.0

v2022.*

v2022.01.0

v2022.02.0

v2022.03.0

v2022.04.0

v2022.05.0

v2022.06.0

v2022.08.0

v2022.09.0

v2022.10.0

v2022.11.0

v2022.12.0

v2023.*

v2023.01.0

v2023.02.0

v2023.03.0

v2023.04.0

v2023.05.0

v2023.06.0

v2023.07.0

v2023.07.1

v2023.08.0

v2023.09.0

v2023.10.0

v2023.11.0

v2023.12.0

v2024.*

v2024.01.0

v2024.02.0

v2024.03.0

v2024.04.0

v2024.05.0

v2024.07.0

v2024.08.0

v2024.09.0

v2024.12.0

v2025.*

v2025.01.0

v2025.02.0

v2025.03.0

v2025.04.0

v2025.05.0

v2025.06.0

v2025.07.0

v2025.08.0

v2025.09.0

v2025.09.1

v2025.09.2

v2025.10.0

v2025.11.0

v2025.12.0

v2026.*

v2026.01.0

v2026.02.0

v2026.03.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33243.json"