CVE-2026-35170
Published: 06 April 2026
Summary
CVE-2026-35170 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-35170 is a heap-buffer-overflow read vulnerability in openFPGALoader, an open-source utility for programming field-programmable gate arrays (FPGAs). The issue affects versions 1.1.1 and earlier, specifically in the BitParser::parseHeader() function, which triggers out-of-bounds heap memory access when processing a specially crafted .bit file. Notably, no FPGA hardware is required to exploit this flaw, as it occurs during file parsing.
An attacker can exploit this vulnerability locally with low attack complexity and no required privileges, but it necessitates user interaction, such as convincing a user to load a malicious .bit file into the tool. Successful exploitation enables high-impact confidentiality violations through arbitrary heap memory reads, potentially leaking sensitive data, alongside high-impact availability disruptions like application crashes or denial of service. The CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) reflects these characteristics, mapped to CWE-125 (Out-of-bounds Read).
The primary advisory is available at https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x, which details the vulnerability and likely includes patch information or mitigation guidance for affected users.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19444
Vulnerability details
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is triggered by parsing a specially crafted malicious .bit file in the vulnerable tool, requiring user interaction to load/execute it, directly mapping to delivery and execution via malicious file.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the heap-buffer-overflow vulnerability in openFPGALoader's BitParser::parseHeader() to eliminate the out-of-bounds heap read.
Mandates validation of .bit file inputs to block malformed files that trigger out-of-bounds heap memory access during parsing.
Implements memory protections like address space layout randomization to mitigate exploitation impacts of heap buffer overflows.