Cyber Posture

CVE-2026-35176

High

Published: 06 April 2026

Published
06 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0001 3.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35176 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the heap-buffer-overflow vulnerability by identifying, reporting, and patching the flaw in openFPGALoader's POFParser::parseSection() function.

SI-10 Information Input Validation good match
prevent

Enforces validation of .pof file inputs to prevent out-of-bounds heap memory access during parsing of crafted files.

SI-16 Memory Protection partial match
prevent

Implements memory safeguards like address space randomization to mitigate exploitation of the heap buffer overflow read vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability is directly triggered by a user processing a malicious .pof file with openFPGALoader (T1204.002 Malicious File), and the out-of-bounds read enables application crashes for denial of service (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in POFParser::parseSection() that allows out-of-bounds heap memory access when parsing a crafted .pof file. No FPGA hardware is required to trigger this vulnerability.

Deeper analysisAI

CVE-2026-35176 is a heap-buffer-overflow read vulnerability in the POFParser::parseSection() function of openFPGALoader, an open-source utility for programming FPGAs. The issue affects versions 1.1.1 and earlier, enabling out-of-bounds heap memory access when the tool parses a specially crafted .pof file. No FPGA hardware is required to trigger the vulnerability, making it exploitable solely through software input processing.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), classified under CWE-125 (Out-of-bounds Read). A local attacker with no privileges can exploit it by convincing a user to process a malicious .pof file using openFPGALoader. This requires user interaction but low complexity, potentially allowing the attacker to disclose sensitive heap memory contents for high confidentiality impact and cause application crashes for high availability impact.

Mitigation details are available in the project's GitHub security advisory at https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-9x7m-m8gv-px2j.

Details

CWE(s)
CWE-125

CVEs Like This One

CVE-2026-5673Shared CWE-125
CVE-2026-33905Shared CWE-125
CVE-2026-3442Shared CWE-125
CVE-2025-70308Shared CWE-125
CVE-2026-25884Shared CWE-125
CVE-2025-64735Shared CWE-125
CVE-2026-27294Shared CWE-125
CVE-2026-32927Shared CWE-125
CVE-2026-2704Shared CWE-125
CVE-2025-0612Shared CWE-125

References