Cyber Resilience

CVE-2026-35170

High

Published: 06 April 2026

Published
06 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0002 5.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35170 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35170 is a heap-buffer-overflow read vulnerability in openFPGALoader, an open-source utility for programming field-programmable gate arrays (FPGAs). The issue affects versions 1.1.1 and earlier, specifically in the BitParser::parseHeader() function, which triggers out-of-bounds heap memory access when processing a specially crafted .bit file. Notably, no FPGA hardware is required to exploit this flaw, as it occurs during file parsing.

An attacker can exploit this vulnerability locally with low attack complexity and no required privileges, but it necessitates user interaction, such as convincing a user to load a malicious .bit file into the tool. Successful exploitation enables high-impact confidentiality violations through arbitrary heap memory reads, potentially leaking sensitive data, alongside high-impact availability disruptions like application crashes or denial of service. The CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) reflects these characteristics, mapped to CWE-125 (Out-of-bounds Read).

The primary advisory is available at https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x, which details the vulnerability and likely includes patch information or mitigation guidance for affected users.

EU & UK References

Vulnerability details

openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability is triggered by parsing a specially crafted malicious .bit file in the vulnerable tool, requiring user interaction to load/execute it, directly mapping to delivery and execution via malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0956Shared CWE-125
CVE-2026-21324Shared CWE-125
CVE-2026-21322Shared CWE-125
CVE-2026-27284Shared CWE-125
CVE-2026-21344Shared CWE-125
CVE-2025-62403Shared CWE-125
CVE-2025-64733Shared CWE-125
CVE-2025-62500Shared CWE-125
CVE-2025-66617Shared CWE-125
CVE-2025-1652Shared CWE-125

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the heap-buffer-overflow vulnerability in openFPGALoader's BitParser::parseHeader() to eliminate the out-of-bounds heap read.

prevent

Mandates validation of .bit file inputs to block malformed files that trigger out-of-bounds heap memory access during parsing.

prevent

Implements memory protections like address space layout randomization to mitigate exploitation impacts of heap buffer overflows.

References