Home

Description

barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.

PUBLISHED Reserved 2026-03-31 | Published 2026-05-11 | Updated 2026-05-14 | Assigner VulnCheck




HIGH: 8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

HIGH: 8.6CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-190 Integer Overflow or Wraparound

Product status

Default status
unaffected

Any version
affected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder

References

github.com/barebox/barebox product

github.com/barebox/barebox/releases/tag/v2026.04.0 patch

www.vulncheck.com/...pe-loader-memory-safety-vulnerabilities third-party-advisory

cve.org (CVE-2026-34963)

nvd.nist.gov (CVE-2026-34963)

Download JSON