Denial-of-Service Vulnerability in barebox Affecting ext4 File System Parsing
CVE-2026-34962

6.9MEDIUM

Key Information:

Vendor: Barebox
Status: Barebox
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-34962?

A denial-of-service vulnerability exists in barebox prior to version 2026.04.0, affecting its handling of ext4 directory parsing. The flaw occurs in the ext4fs_iterate_dir() function located within fs/ext4/ext4_common.c, where insufficient validation of directory entry length values allows attackers to exploit the system. By supplying a crafted ext4 filesystem image with a directory entry containing a zero length (direntlen value of 0), an attacker can induce an infinite loop during directory listing or path resolution. This failure can lead to the boot process hanging indefinitely, posing serious risks to system availability.

Affected Version(s)

barebox 0 <= 2026.04.0

References

https://github.com/barebox/barebox

product

https://github.com/barebox/barebox/releases/tag/v2026.04.0

patch

https://www.vulncheck.com/advisories/barebox-ext4-directo...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Kazuma Matsumoto

CVE-2026-34962 Data

JSON

Barebox

What is CVE-2026-34962?

Affected Version(s)

References

CVSS V4

Timeline

Credit