Vulnerability in libefiboot Affects EFIVAR Products
CVE-2026-6862

5.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-6862?

A flaw in the libefiboot component of efivar allows for improper validation of the Length field in device path nodes. This vulnerability can lead to infinite recursion when a malicious user supplies a crafted device path node, resulting in stack exhaustion and causing a crash of the affected process. This presents a significant risk of denial of service, impacting the overall system stability.

References

https://access.redhat.com/security/cve/CVE-2026-6862

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2459982

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Red Hat would like to thank Mathis Huron (Oteria Cyber School, FuzzingLabs) for reporting this issue.

CVE-2026-6862 Data

JSON