Vulnerability in barebox Bootloader Affects System Integrity
CVE-2026-33243

8.3HIGH

Key Information:

Vendor: Barebox
Status: Barebox
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33243?

The barebox bootloader contains a vulnerability that allows an attacker to modify the hashed-nodes property of the FIT signature node. This manipulation can mislead the bootloader into booting unauthorized images instead of the verified ones. The issue arises in specific versions of barebox prior to the patches available in versions 2025.09.3 and 2026.03.1. It is crucial for users to upgrade to these patched versions to maintain system integrity and security.

Affected Version(s)

barebox >= 2016.03.0, < 2025.09.3 < 2016.03.0, 2025.09.3

barebox >= 2025.10.0, < 2026.03.1 < 2025.10.0, 2026.03.1

References

https://github.com/barebox/barebox/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/barebox/barebox/commit/aca01795056d510...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33243 Data

JSON

Barebox

What is CVE-2026-33243?

Affected Version(s)

References

CVSS V3.1

Timeline