Home / Vulnerability Intelligence / CVE-2026-33243

CVE-2026-33243 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 23, 2026

barebox - Authentication Bypass

Published: March 20, 2026Updated: March 23, 2026

Overview

barebox 2016.03.0 to < 2025.09.3 and 2025.10.0 to < 2026.03.1 contains a signature bypass caused by unhashed mutable hashed-nodes property in FIT signature node, letting attackers trick the bootloader into booting unverified images, exploit requires attacker to modify FIT image.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 0.6%(Probability of exploitation in next 30 days)

Impact

Attackers can trick the bootloader into booting unverified images, potentially compromising system integrity and security.

Mitigation

Update to versions 2025.09.3 or 2026.03.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 21, 2026

🟠 CVE-2026-33243 - High (8.2) barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which n... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33243/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33243
Severity: High
CVSS Score: 8.2
Type: broken_authentication
Status: unconfirmed
EPSS: 0.6%
Social Posts: 1

CWE

CWE-345

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.6%Probability of exploitation in the next 30 days