CVE-2026-33243 Overview
CVE-2026-33243 is a Secure Boot Bypass vulnerability affecting the barebox bootloader. This vulnerability allows an attacker to exploit a FIT (Flattened Image Tree) signature verification weakness to trick the bootloader into booting different images than those that were cryptographically verified as part of a signed configuration.
The vulnerability stems from how mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed during the signing process. These nodes are intended to be verified later by the bootloader. However, the hashed-nodes property itself is not part of the hash computation, allowing an attacker to modify this property and bypass the integrity verification mechanism.
Critical Impact
An attacker with local access and high privileges can bypass secure boot protections to load unauthorized firmware or operating system images, potentially enabling persistent system compromise and rootkit installation.
Affected Products
- Pengutronix barebox versions 2016.03.0 to before 2026.03.1
- Pengutronix barebox versions before 2025.09.3 (backport branch)
- Denx U-Boot (related codebase)
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33243 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33243
Vulnerability Analysis
This vulnerability represents a critical flaw in the cryptographic verification chain used by barebox to validate FIT images during the boot process. FIT images are a standard format used by bootloaders to package kernel images, device trees, and other boot-time components along with cryptographic signatures to ensure their integrity.
The root of the issue lies in the design of the signature verification process. When an image is signed using mkimage(1), the tool creates a hashed-nodes property that enumerates which FIT nodes were included in the hash computation. During boot, barebox reads this property to determine which nodes to verify. Because the hashed-nodes property exists outside the signed hash, an attacker can manipulate it post-signing to exclude certain nodes from verification or point to different nodes entirely.
This attack has significant implications for embedded systems and IoT devices that rely on secure boot to prevent unauthorized code execution. A successful exploit could allow an attacker to replace legitimate kernel images, device trees, or initramfs contents with malicious versions while the bootloader incorrectly reports successful signature verification.
Root Cause
The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity). The fundamental issue is that the hashed-nodes property, which is critical metadata for the verification process, was not included within the scope of cryptographic protection. This creates a trusted-but-unverified metadata path that attackers can exploit.
Attack Vector
The attack requires local access to the device with high privileges. An attacker would need the ability to modify the FIT image stored on the boot media. The attack flow involves:
- Obtaining a legitimately signed FIT image
- Modifying the hashed-nodes property to reference different nodes or exclude malicious additions
- Injecting malicious boot components (kernel, device tree, etc.)
- Booting the device, which will verify only the nodes listed in the modified hashed-nodes property
The following patch demonstrates how the fix addresses input validation by rejecting node names containing path separators:
return *name == '$';
}
+static inline bool is_allowed_input_name(const char *name)
+{
+ /* We are stricter on input than on output, because we assume barebox
+ * code won't attempt naming nodes bogously.
+ */
+ return !is_reserved_name(name) && !strchr(name, '/');
+}
+
static int of_reservemap_num_entries(const struct fdt_header *fdt)
{
/*
Source: GitHub Commit Update
Detection Methods for CVE-2026-33243
Indicators of Compromise
- Unexpected modifications to FIT images on boot media or flash storage
- Discrepancies between expected and actual hashed-nodes property values in FIT images
- Boot logs showing verification of fewer nodes than expected
- Unauthorized kernel or device tree images present in FIT containers
Detection Strategies
- Implement offline FIT image integrity checking using known-good reference hashes
- Monitor bootloader logs for anomalies in the signature verification process
- Deploy file integrity monitoring on boot partitions where FIT images are stored
- Compare hashed-nodes properties against expected values during security audits
Monitoring Recommendations
- Establish baseline configurations for all FIT images deployed in production environments
- Implement cryptographic hash verification of FIT images at rest using out-of-band mechanisms
- Enable verbose bootloader logging where possible to capture signature verification details
- Conduct periodic security assessments of firmware update and deployment pipelines
How to Mitigate CVE-2026-33243
Immediate Actions Required
- Update barebox to version 2026.03.1 or 2025.09.3 (backport) immediately
- Audit all deployed FIT images for unauthorized modifications
- Verify the integrity of firmware update pipelines and signing processes
- Restrict physical and logical access to boot media on affected devices
Patch Information
Pengutronix has released patched versions of barebox that address this vulnerability. The fix ensures proper validation of FIT signature verification by implementing stricter input validation for node names and improving the integrity of the signature verification chain.
| Resource | Link |
|---|---|
| Security Advisory | GitHub Security Advisory GHSA-3fvj-q26p-j6h4 |
| Patch Commit | GitHub Commit aca01795 |
Workarounds
- Implement additional out-of-band verification of FIT images before boot using a separate trusted component
- Restrict physical access to devices to prevent boot media tampering
- Deploy hardware-based attestation mechanisms where available to verify boot integrity
- Consider implementing measured boot with TPM to detect unauthorized modifications
# Verify barebox version after update
barebox -v
# Expected: barebox 2026.03.1 or 2025.09.3
# Check FIT image integrity manually
fit_check_sign -f /path/to/image.itb -k /path/to/key.dtb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
