CVE-2026-34155

Description

RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in a signature which covers only the first few bytes of the payload. Given such a bundle with a legitimate signature, an attacker can modify the part of the payload which is not covered by the signature. This issue has been patched in version 1.15.2.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:pengutronix:rauc:*:*:*:*:*:*:*:* - VULNERABLE

RAUC < 1.15.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os

# This is a conceptual PoC demonstrating the creation of a large file
# that could trigger the integer overflow condition in vulnerable RAUC versions.
# Actual exploitation requires a valid private key to sign the bundle header.

def create_malicious_bundle(filename, size_gb=3):
    """
    Creates a dummy file > 2GB to simulate the overflow condition.
    """
    file_size = size_gb * 1024 * 1024 * 1024
    
    # In a real scenario, the first few bytes would contain a valid signed header
    # and the rest would be the malicious payload.
    with open(filename, 'wb') as f:
        # Write a dummy header (e.g., 1KB)
        f.write(b'A' * 1024) 
        
        # Write padding to exceed 2GB limit (triggering overflow)
        # This represents the unsigned portion where malicious code resides
        remaining = file_size - 1024
        f.write(b'B' * remaining)
        
    print(f"Created {filename} with size {size_gb}GB.")
    print("If signed with a valid key, RAUC < 1.15.2 may only verify the first 1KB.")

if __name__ == "__main__":
    create_malicious_bundle("malicious_bundle.rauc")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34155
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34155
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34155/
[4] VulDB https://vuldb.com/cve/CVE-2026-34155
[5] https://github.com/rauc/rauc/commit/4fb7c798d6ae412344fb8f8d310d773046af3441
[6] https://github.com/rauc/rauc/releases/tag/v1.15.2
[7] https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34155", "sourceIdentifier": "[email protected]", "published": "2026-03-31T14:16:11.997", "lastModified": "2026-04-03T15:53:01.463", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in a signature which covers only the first few bytes of the payload. Given such a bundle with a legitimate signature, an attacker can modify the part of the payload which is not covered by the signature. This issue has been patched in version 1.15.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-196"}, {"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pengutronix:rauc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.15.2", "matchCriteriaId": "E4EC7982-C7EC-4B8C-9098-A1B567B10FAF"}]}]}], "references": [{"url": "https://github.com/rauc/rauc/commit/4fb7c798d6ae412344fb8f8d310d773046af3441", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rauc/rauc/releases/tag/v1.15.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx", "source": "[email protected]", "tags": ["Mitigation", "Patch", "Vendor Advisory"]}]}}