CVE-2026-33243
Published: 20 March 2026
Summary
CVE-2026-33243 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Denx U-Boot. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws such as the FIT signature verification bypass in the barebox bootloader, directly enabling patching to prevent exploitation.
Mandates cryptographic mechanisms to verify the integrity of firmware and boot images, preventing the bootloader from executing unauthorized images altered via the unhashed hashed-nodes property.
Requires digital signatures on system components including boot images, supporting FIT-based verification processes vulnerable to hashed-nodes manipulation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local high-privilege exploitation of the FIT signature bypass directly enables arbitrary code execution at boot by loading unauthorized images, mapping to privilege escalation (T1068) and bootkit-style persistence via pre-OS boot compromise (T1542.003).
NVD Description
barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were…
more
verified as part of a signed configuration. mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and could therefore be modified to allow booting different images than those that have been verified. This issue has been patched in barebox versions 2026.03.1 and backported to 2025.09.3.
Deeper analysisAI
CVE-2026-33243 affects the barebox bootloader, a component used in embedded systems for initial boot processes. The vulnerability resides in the Flattened Image Tree (FIT) signature verification mechanism, present in barebox versions from 2016.03.0 up to but not including 2026.03.1, with a corresponding backport issue fixed in 2025.09.3. Specifically, the mkimage tool sets a hashed-nodes property in the FIT signature node to specify which nodes were hashed during signing for later verification by the bootloader. However, this hashed-nodes property itself is excluded from the hash computation, enabling post-signing modifications (classified under CWE-345: Insufficient Verification of Data Authenticity).
Exploitation requires local access (AV:L) with high privileges (PR:H), low attack complexity (AC:L), and no user interaction (UI:N). A privileged local attacker can alter the hashed-nodes property in a signed FIT configuration to reference different images than those originally verified. This tricks the bootloader into accepting and executing unauthorized images during boot, potentially leading to arbitrary code execution with high impacts on confidentiality, integrity, availability (C:H/I:H/A:H), and changed scope (S:C), as reflected in the CVSS v3.1 base score of 8.2.
Mitigation is available through patches in barebox version 2026.03.1 and the backport to 2025.09.3. Security practitioners should update affected systems immediately. Detailed patch information is in the commit at https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05, and further guidance is provided in the GitHub Security Advisory at https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4.
Details
- CWE(s)