Home / Vulnerability Intelligence / CVE-2026-33243

CVE-2026-33243 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 20, 2026

barebox - Authentication Bypass

Published: March 20, 2026Updated: March 20, 2026

Overview

barebox 2016.03.0 to < 2025.09.3 and 2025.10.0 to < 2026.03.1 contains a signature bypass caused by unhashed mutable hashed-nodes property in FIT signature node, letting attackers trick the bootloader into booting unverified images, exploit requires attacker to modify FIT image.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can trick the bootloader into booting unverified images, potentially compromising system integrity and security.

Mitigation

Update to versions 2025.09.3 or 2026.03.1 or later.

References

https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05
https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33243
Severity: High
CVSS Score: 8.2
Type: broken_authentication
Status: new

CWE

CWE-345

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H