Home
HIGH: 7.0 CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/AU:N/R:I/V:C/RE:MDefault status
unaffected
Any version before BL2 FW 0x1001
affected
Default status
unaffected
Any version before BL2 FW 0x2001
affected
Default status
unaffected
Any version before BL2 FW 0x2101
affected
Description
The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.
Problem types
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Product status
Any version before BL2 FW 0x1001
Any version before BL2 FW 0x2001
Any version before BL2 FW 0x2101
References
www.semtech.com/...urity/security-bulletins/sem-psa-2026-001