Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24795

CVE-2026-24795: CloverBootloader Buffer Overflow Flaw

CVE-2026-24795 is a buffer overflow vulnerability in CloverBootloader's Oniguruma module that enables out-of-bounds write attacks. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-24795 Overview

CVE-2026-24795 is an Out-of-bounds Write vulnerability affecting CloverHackyColor CloverBootloader, specifically within the MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules. The vulnerability is associated with the program file regcomp.c and impacts CloverBootloader versions prior to 5162.

This bootloader vulnerability could allow an attacker with local access to corrupt memory by writing data beyond allocated buffer boundaries, potentially leading to system instability or enabling further exploitation during the boot process.

Critical Impact

Local attackers could exploit this out-of-bounds write vulnerability in the CloverBootloader's regular expression module to cause denial of service conditions or potentially achieve code execution during the boot phase.

Affected Products

  • CloverBootloader versions prior to 5162
  • Systems utilizing CloverHackyColor CloverBootloader with Oniguruma regex modules
  • UEFI environments running vulnerable CloverBootloader configurations

Discovery Timeline

  • 2026-01-27 - CVE CVE-2026-24795 published to NVD
  • 2026-01-27 - Last updated in NVD database

Technical Details for CVE-2026-24795

Vulnerability Analysis

The vulnerability exists within the Oniguruma regular expression library as integrated into CloverBootloader's MdeModulePkg/Universal/RegularExpressionDxe module. Specifically, the flaw resides in regcomp.c, which handles regular expression compilation. During the processing of certain regex patterns, the code fails to properly validate buffer boundaries before performing write operations, resulting in an out-of-bounds write condition (CWE-787).

In the context of a bootloader, this vulnerability is particularly concerning as it executes during the pre-boot environment where traditional operating system security controls are not yet active. An attacker who can influence the input to the regex compilation function could potentially corrupt adjacent memory regions.

The local attack vector requirement means an attacker needs direct access to the system or the ability to manipulate bootloader configuration files to exploit this vulnerability. While no authentication is required, the impact is primarily focused on availability with limited scope to the vulnerable component and some potential for affecting subsequent system components.

Root Cause

The root cause is insufficient boundary validation in the regcomp.c file within the Oniguruma regular expression engine. When compiling regular expressions, the code allocates a buffer for compiled pattern data but fails to adequately verify that write operations remain within the allocated memory region. This allows specially crafted regular expression patterns to trigger writes beyond the intended buffer boundaries.

Attack Vector

Exploitation requires local access to the target system. An attacker would need to:

  1. Gain access to modify bootloader configuration files or input data that gets processed by the regex engine
  2. Craft a malicious regular expression pattern designed to trigger the out-of-bounds write
  3. Cause the bootloader to process the malicious pattern during boot or configuration parsing

The vulnerability in the regcomp.c file can be triggered when the regex compilation function processes patterns that exceed expected boundary conditions. Malformed or excessively complex patterns may cause the compiler to write pattern data beyond allocated buffer space. For technical details and the specific fix, refer to the CloverBootloader Pull Request #733.

Detection Methods for CVE-2026-24795

Indicators of Compromise

  • Unexpected system crashes or hangs during the boot process
  • Bootloader configuration files modified without authorization
  • Corruption in CloverBootloader log files or boot records
  • System failing to boot with memory-related errors

Detection Strategies

  • Monitor CloverBootloader configuration files for unauthorized modifications using file integrity monitoring tools
  • Implement secure boot verification to detect tampered bootloader components
  • Review system boot logs for anomalous behavior or crash patterns during regex processing phases
  • Utilize UEFI firmware security scanning tools to identify vulnerable bootloader versions

Monitoring Recommendations

  • Enable audit logging for all changes to bootloader configuration files
  • Implement hardware-based trusted boot mechanisms where supported
  • Regularly verify bootloader integrity using cryptographic checksums
  • Monitor for unusual boot-time delays or failures that could indicate exploitation attempts

How to Mitigate CVE-2026-24795

Immediate Actions Required

  • Update CloverBootloader to version 5162 or later immediately
  • Restrict physical and local access to systems running vulnerable CloverBootloader versions
  • Verify the integrity of existing bootloader installations and configuration files
  • Consider implementing Secure Boot to prevent loading of tampered bootloader components

Patch Information

The vulnerability has been addressed in CloverBootloader version 5162 and later. Users should update to the latest stable release available from the official CloverHackyColor repository. The fix is documented in GitHub Pull Request #733, which addresses the boundary validation issues in the Oniguruma regex compilation code.

Workarounds

  • Restrict local access to affected systems until patching can be completed
  • Implement strong access controls on bootloader configuration directories
  • If possible, disable or limit functionality that utilizes the RegularExpressionDxe module
  • Use alternative bootloader solutions while awaiting patch deployment in production environments
bash
# Verify CloverBootloader version
# Check the installed version against the patched version 5162
# Update procedure (example for macOS/Hackintosh environments)
# 1. Download CloverBootloader v5162 or later from official repository
# 2. Backup existing EFI partition
# 3. Replace bootloader files with updated version
# 4. Verify successful update by checking version information in Clover settings

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne