Out-of-Bounds Read Vulnerability in barebox Affected by Ext4 Filesystem Implementation
CVE-2026-34961

6.9MEDIUM

Key Information:

Vendor: Barebox
Status: Barebox
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-34961?

The barebox bootloader versions before 2026.04.0 are susceptible to out-of-bounds read vulnerabilities related to the ext4 extent parsing functionality. This vulnerability stems from inadequate validation of the 'eh_entries' field against buffer capacity in the code managing ext4 filesystems. An attacker could exploit this flaw by providing a crafted ext4 filesystem image through USB, SD card, or network boot. During the process of filesystem parsing at boot time, this could result in heap out-of-bounds reads, allowing potential access to arbitrary memory regions, which may further compromise system integrity.

Affected Version(s)

barebox 0 <= 2026.04.0

References

https://github.com/barebox/barebox

product

https://github.com/barebox/barebox/releases/tag/v2026.04.0

patch

https://www.vulncheck.com/advisories/barebox-ext4-extent-...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Kazuma Matsumoto

CVE-2026-34961 Data

JSON

Barebox

What is CVE-2026-34961?

Affected Version(s)

References

CVSS V4

Timeline

Credit