barebox prior to version 2026.04.0 contains out-of-bounds...
Moderate severity
Unreviewed
Published
May 12, 2026
to the GitHub Advisory Database
•
Updated Jul 18, 2026
Description
Published by the National Vulnerability Database
May 11, 2026
Published to the GitHub Advisory Database
May 12, 2026
Last updated
Jul 18, 2026
barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.
References