Vulnerability Details CVE-2026-33243
barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.9%
CVSS Severity
CVSS v3 Score 8.2
References
Products affected by CVE-2026-33243
-
cpe:2.3:a:denx:u-boot:2013.07
-
cpe:2.3:a:denx:u-boot:2013.10
-
cpe:2.3:a:denx:u-boot:2014.01
-
cpe:2.3:a:denx:u-boot:2014.04
-
cpe:2.3:a:denx:u-boot:2014.07
-
cpe:2.3:a:denx:u-boot:2014.10
-
cpe:2.3:a:denx:u-boot:2015.01
-
cpe:2.3:a:denx:u-boot:2015.04
-
cpe:2.3:a:denx:u-boot:2015.07
-
cpe:2.3:a:denx:u-boot:2015.10
-
cpe:2.3:a:denx:u-boot:2016.01
-
cpe:2.3:a:denx:u-boot:2016.03
-
cpe:2.3:a:denx:u-boot:2016.05
-
cpe:2.3:a:denx:u-boot:2016.07
-
cpe:2.3:a:denx:u-boot:2016.09
-
cpe:2.3:a:denx:u-boot:2016.09.01
-
cpe:2.3:a:denx:u-boot:2016.11
-
cpe:2.3:a:denx:u-boot:2017.01
-
cpe:2.3:a:denx:u-boot:2017.03
-
cpe:2.3:a:denx:u-boot:2017.05
-
cpe:2.3:a:denx:u-boot:2017.07
-
cpe:2.3:a:denx:u-boot:2017.09
-
cpe:2.3:a:denx:u-boot:2017.11
-
cpe:2.3:a:denx:u-boot:2018.01
-
cpe:2.3:a:denx:u-boot:2018.03
-
cpe:2.3:a:denx:u-boot:2018.05
-
cpe:2.3:a:denx:u-boot:2018.07
-
cpe:2.3:a:denx:u-boot:2018.09
-
cpe:2.3:a:denx:u-boot:2018.11
-
cpe:2.3:a:denx:u-boot:2019.01
-
cpe:2.3:a:denx:u-boot:2019.04
-
cpe:2.3:a:denx:u-boot:2019.07
-
cpe:2.3:a:denx:u-boot:2019.10
-
cpe:2.3:a:denx:u-boot:2020.01
-
cpe:2.3:a:denx:u-boot:2020.04
-
cpe:2.3:a:denx:u-boot:2020.07
-
cpe:2.3:a:denx:u-boot:2020.10
-
cpe:2.3:a:denx:u-boot:2021.01
-
cpe:2.3:a:denx:u-boot:2021.04
-
cpe:2.3:a:denx:u-boot:2022.01
-
cpe:2.3:a:denx:u-boot:2022.04
-
cpe:2.3:a:denx:u-boot:2022.07
-
cpe:2.3:a:denx:u-boot:2022.10
-
cpe:2.3:a:denx:u-boot:2023.01
-
cpe:2.3:a:denx:u-boot:2023.04
-
cpe:2.3:a:denx:u-boot:2023.07
-
cpe:2.3:a:denx:u-boot:2023.07.02
-
cpe:2.3:a:denx:u-boot:2023.10
-
cpe:2.3:a:denx:u-boot:2024.01
-
cpe:2.3:a:denx:u-boot:2024.04
-
cpe:2.3:a:denx:u-boot:2024.07
-
cpe:2.3:a:denx:u-boot:2024.10
-
cpe:2.3:a:denx:u-boot:2025.01
-
cpe:2.3:a:denx:u-boot:2025.04
-
cpe:2.3:a:denx:u-boot:2025.07
-
cpe:2.3:a:denx:u-boot:2025.10
-
cpe:2.3:a:denx:u-boot:2026.01
-
cpe:2.3:a:denx:u-boot:2026.04
-
cpe:2.3:a:pengutronix:barebox:2016.03.0
-
cpe:2.3:a:pengutronix:barebox:2016.04.0
-
cpe:2.3:a:pengutronix:barebox:2016.05.0
-
cpe:2.3:a:pengutronix:barebox:2016.06.0
-
cpe:2.3:a:pengutronix:barebox:2016.07.0
-
cpe:2.3:a:pengutronix:barebox:2016.08.0
-
cpe:2.3:a:pengutronix:barebox:2016.09.0
-
cpe:2.3:a:pengutronix:barebox:2016.10.0
-
cpe:2.3:a:pengutronix:barebox:2016.11.0
-
cpe:2.3:a:pengutronix:barebox:2017.01.0
-
cpe:2.3:a:pengutronix:barebox:2017.02.0
-
cpe:2.3:a:pengutronix:barebox:2017.03.0
-
cpe:2.3:a:pengutronix:barebox:2017.04.0
-
cpe:2.3:a:pengutronix:barebox:2017.05.0
-
cpe:2.3:a:pengutronix:barebox:2017.05.1
-
cpe:2.3:a:pengutronix:barebox:2017.05.2
-
cpe:2.3:a:pengutronix:barebox:2017.05.3
-
cpe:2.3:a:pengutronix:barebox:2017.05.4
-
cpe:2.3:a:pengutronix:barebox:2017.06.0
-
cpe:2.3:a:pengutronix:barebox:2017.06.1
-
cpe:2.3:a:pengutronix:barebox:2017.06.2
-
cpe:2.3:a:pengutronix:barebox:2017.07.0
-
cpe:2.3:a:pengutronix:barebox:2017.07.1
-
cpe:2.3:a:pengutronix:barebox:2017.08.0
-
cpe:2.3:a:pengutronix:barebox:2017.09.0
-
cpe:2.3:a:pengutronix:barebox:2017.10.0
-
cpe:2.3:a:pengutronix:barebox:2017.11.0
-
cpe:2.3:a:pengutronix:barebox:2017.12.0
-
cpe:2.3:a:pengutronix:barebox:2018.01.0
-
cpe:2.3:a:pengutronix:barebox:2018.02.0
-
cpe:2.3:a:pengutronix:barebox:2018.03.0
-
cpe:2.3:a:pengutronix:barebox:2018.04.0
-
cpe:2.3:a:pengutronix:barebox:2018.05.0
-
cpe:2.3:a:pengutronix:barebox:2018.06.0
-
cpe:2.3:a:pengutronix:barebox:2018.07.0
-
cpe:2.3:a:pengutronix:barebox:2018.07.1
-
cpe:2.3:a:pengutronix:barebox:2018.07.2
-
cpe:2.3:a:pengutronix:barebox:2018.08.0
-
cpe:2.3:a:pengutronix:barebox:2018.08.1
-
cpe:2.3:a:pengutronix:barebox:2018.09.0
-
cpe:2.3:a:pengutronix:barebox:2018.09.1
-
cpe:2.3:a:pengutronix:barebox:2018.10.0
-
cpe:2.3:a:pengutronix:barebox:2018.11.0
-
cpe:2.3:a:pengutronix:barebox:2018.12.0
-
cpe:2.3:a:pengutronix:barebox:2018.8.1
-
cpe:2.3:a:pengutronix:barebox:2019.01.0
-
cpe:2.3:a:pengutronix:barebox:2019.02.0
-
cpe:2.3:a:pengutronix:barebox:2019.03.0
-
cpe:2.3:a:pengutronix:barebox:2019.04.0
-
cpe:2.3:a:pengutronix:barebox:2019.05.0
-
cpe:2.3:a:pengutronix:barebox:2019.06.0
-
cpe:2.3:a:pengutronix:barebox:2019.06.1
-
cpe:2.3:a:pengutronix:barebox:2019.07.0
-
cpe:2.3:a:pengutronix:barebox:2019.08.0
-
cpe:2.3:a:pengutronix:barebox:2019.08.1
-
cpe:2.3:a:pengutronix:barebox:2019.09.0
-
cpe:2.3:a:pengutronix:barebox:2019.10.0
-
cpe:2.3:a:pengutronix:barebox:2019.11.0
-
cpe:2.3:a:pengutronix:barebox:2019.12.0
-
cpe:2.3:a:pengutronix:barebox:2020.01.0
-
cpe:2.3:a:pengutronix:barebox:2020.02.0
-
cpe:2.3:a:pengutronix:barebox:2020.03.0
-
cpe:2.3:a:pengutronix:barebox:2020.04.0
-
cpe:2.3:a:pengutronix:barebox:2020.05.0
-
cpe:2.3:a:pengutronix:barebox:2020.06.0
-
cpe:2.3:a:pengutronix:barebox:2020.07.0
-
cpe:2.3:a:pengutronix:barebox:2020.08.0
-
cpe:2.3:a:pengutronix:barebox:2020.08.1
-
cpe:2.3:a:pengutronix:barebox:2020.09.0
-
cpe:2.3:a:pengutronix:barebox:2020.10.0
-
cpe:2.3:a:pengutronix:barebox:2020.11.0
-
cpe:2.3:a:pengutronix:barebox:2020.12.0
-
cpe:2.3:a:pengutronix:barebox:2021.01.0
-
cpe:2.3:a:pengutronix:barebox:2021.02.0
-
cpe:2.3:a:pengutronix:barebox:2021.03.0
-
cpe:2.3:a:pengutronix:barebox:2021.04.0
-
cpe:2.3:a:pengutronix:barebox:2021.05.0
-
cpe:2.3:a:pengutronix:barebox:2021.06.0
-
cpe:2.3:a:pengutronix:barebox:2021.07.0
-
cpe:2.3:a:pengutronix:barebox:2021.08.0
-
cpe:2.3:a:pengutronix:barebox:2021.10.0
-
cpe:2.3:a:pengutronix:barebox:2021.11.0
-
cpe:2.3:a:pengutronix:barebox:2021.12.0
-
cpe:2.3:a:pengutronix:barebox:2022.01.0
-
cpe:2.3:a:pengutronix:barebox:2022.02.0
-
cpe:2.3:a:pengutronix:barebox:2022.03.0
-
cpe:2.3:a:pengutronix:barebox:2022.04.0
-
cpe:2.3:a:pengutronix:barebox:2022.05.0
-
cpe:2.3:a:pengutronix:barebox:2022.06.0
-
cpe:2.3:a:pengutronix:barebox:2022.08.0
-
cpe:2.3:a:pengutronix:barebox:2022.09.0
-
cpe:2.3:a:pengutronix:barebox:2022.10.0
-
cpe:2.3:a:pengutronix:barebox:2022.11.0
-
cpe:2.3:a:pengutronix:barebox:2022.12.0
-
cpe:2.3:a:pengutronix:barebox:2023.01.0
-
cpe:2.3:a:pengutronix:barebox:2023.02.0
-
cpe:2.3:a:pengutronix:barebox:2023.02.1
-
cpe:2.3:a:pengutronix:barebox:2023.03.0
-
cpe:2.3:a:pengutronix:barebox:2023.04.0
-
cpe:2.3:a:pengutronix:barebox:2023.05.0
-
cpe:2.3:a:pengutronix:barebox:2023.06.0
-
cpe:2.3:a:pengutronix:barebox:2023.07.0
-
cpe:2.3:a:pengutronix:barebox:2023.07.1
-
cpe:2.3:a:pengutronix:barebox:2023.08.0
-
cpe:2.3:a:pengutronix:barebox:2023.09.0
-
cpe:2.3:a:pengutronix:barebox:2023.10.0
-
cpe:2.3:a:pengutronix:barebox:2023.11.0
-
cpe:2.3:a:pengutronix:barebox:2023.12.0
-
cpe:2.3:a:pengutronix:barebox:2024.01.0
-
cpe:2.3:a:pengutronix:barebox:2024.02.0
-
cpe:2.3:a:pengutronix:barebox:2024.03.0
-
cpe:2.3:a:pengutronix:barebox:2024.04.0
-
cpe:2.3:a:pengutronix:barebox:2024.05.0
-
cpe:2.3:a:pengutronix:barebox:2024.07.0
-
cpe:2.3:a:pengutronix:barebox:2024.08.0
-
cpe:2.3:a:pengutronix:barebox:2024.09.0
-
cpe:2.3:a:pengutronix:barebox:2024.10.0
-
cpe:2.3:a:pengutronix:barebox:2024.12.0
-
cpe:2.3:a:pengutronix:barebox:2025.01.0
-
cpe:2.3:a:pengutronix:barebox:2025.02.0
-
cpe:2.3:a:pengutronix:barebox:2025.03.0
-
cpe:2.3:a:pengutronix:barebox:2025.04.0
-
cpe:2.3:a:pengutronix:barebox:2025.05.0
-
cpe:2.3:a:pengutronix:barebox:2025.06.0
-
cpe:2.3:a:pengutronix:barebox:2025.06.1
-
cpe:2.3:a:pengutronix:barebox:2025.07.0
-
cpe:2.3:a:pengutronix:barebox:2025.08.0
-
cpe:2.3:a:pengutronix:barebox:2025.09.0
-
cpe:2.3:a:pengutronix:barebox:2025.09.1
-
cpe:2.3:a:pengutronix:barebox:2025.09.2
-
cpe:2.3:a:pengutronix:barebox:2025.10.0
-
cpe:2.3:a:pengutronix:barebox:2025.11.0
-
cpe:2.3:a:pengutronix:barebox:2025.12.0
-
cpe:2.3:a:pengutronix:barebox:2026.01.0
-
cpe:2.3:a:pengutronix:barebox:2026.02.0
-
cpe:2.3:a:pengutronix:barebox:2026.03.0