Memory Safety Vulnerabilities in Barebox EFI PE Loader by Barebox
CVE-2026-34963

8.6HIGH

Key Information:

Vendor

Barebox

Status
Barebox
Vendor
CVE Published:
11 May 2026

What is CVE-2026-34963?

Barebox, an open-source bootloader, is subject to multiple memory safety vulnerabilities in its EFI PE loader. Notably, these vulnerabilities stem from an integer overflow in the calculation of virtual image size using 32-bit arithmetic. This flaw impacts the handling of section VirtualAddress and size values, leading to insufficient heap allocation. Additionally, the PE section loading logic does not properly validate the sum of PointerToRawData and the copied size, which can extend beyond the boundaries of the PE file buffer. An attacker exploiting this vulnerability could deliver a malicious EFI PE binary through various means such as TFTP, USB, SD cards, or network boot, resulting in heap buffer overflows or out-of-bounds reads from heap memory, potentially allowing for unauthorized code execution in the bootloader context.

Affected Version(s)

barebox 0 <= 2026.04.0

References

https://github.com/barebox/barebox
product
https://github.com/barebox/barebox/releases/tag/v2026.04.0
patch
https://www.vulncheck.com/advisories/barebox-efi-pe-loade...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kazuma Matsumoto
.