{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33243", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-20T22:51:15.938Z", "dateUpdated": "2026-03-24T15:31:34.971Z"}, "containers": {"cna": {"title": "barebox: FIT Signature Verification Bypass Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"}, {"name": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "tags": ["x_refsource_MISC"], "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"}], "affected": [{"vendor": "barebox", "product": "barebox", "versions": [{"version": ">= 2016.03.0, < 2025.09.3", "status": "affected"}, {"version": ">= 2025.10.0, < 2026.03.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:51:15.938Z"}, "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}], "source": {"advisory": "GHSA-3fvj-q26p-j6h4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:31:22.066555Z", "id": "CVE-2026-33243", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:31:34.971Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33243", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-20T22:51:15.938Z", "dateUpdated": "2026-03-24T15:31:34.971Z"}, "containers": {"cna": {"title": "barebox: FIT Signature Verification Bypass Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"}, {"name": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "tags": ["x_refsource_MISC"], "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"}], "affected": [{"vendor": "barebox", "product": "barebox", "versions": [{"version": ">= 2016.03.0, < 2025.09.3", "status": "affected"}, {"version": ">= 2025.10.0, < 2026.03.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:51:15.938Z"}, "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}], "source": {"advisory": "GHSA-3fvj-q26p-j6h4", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T15:31:22.066555Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:31:31.448Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1."}], "id": "CVE-2026-33243", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:47.167", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05"}, {"source": "security-advisories@github.com", "url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2016.03.0,2025.09.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.10.0,2026.03.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "barebox", "source": "cna", "vendor": "barebox"}, "product": "barebox", "vendor": "barebox"}], "created": "2026-03-23T09:52:12.141000+00:00", "updated": "2026-03-23T09:52:12.141090+00:00", "vendors": ["barebox", "barebox$PRODUCT$barebox"]}