Cyber Resilience

CVE-2026-34963

HighPublic PoC

Published: 11 May 2026

Published
11 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 5.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34963 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Pengutronix Barebox. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique TFTP Boot (T1542.005); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section…

more

loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1542.005 TFTP Boot Stealth
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server.
T1091 Replication Through Removable Media Lateral Movement
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.
Why these techniques?

Vulnerability in barebox EFI PE loader enables code execution via malicious binaries supplied over TFTP/network boot (T1542.005) or removable media (T1091).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33243Same product: Pengutronix Barebox
CVE-2024-57262Shared CWE-190
CVE-2024-57254Shared CWE-190
CVE-2024-57255Shared CWE-190
CVE-2026-2781Shared CWE-190
CVE-2026-40046Shared CWE-190
CVE-2025-30404Shared CWE-190
CVE-2025-27918Shared CWE-190
CVE-2026-0031Shared CWE-190
CVE-2025-46817Shared CWE-190

Affected Assets

pengutronix
barebox
≤ 2026.04.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References