CVE-2026-34961 Overview
CVE-2026-34961 is an out-of-bounds read vulnerability in the barebox bootloader from Pengutronix. The flaw resides in the ext4 extent parsing logic within fs/ext4/ext4_common.c. The code fails to validate the eh_entries field against the buffer capacity before iterating through extent entries.
Attackers with local access can supply a malicious ext4 filesystem image through USB, SD card, or network boot. Boot-time filesystem parsing then triggers heap out-of-bounds reads. The condition can redirect reads to arbitrary disk offsets during early boot. The vulnerability is tracked under [CWE-125] and affects barebox versions prior to 2026.04.0.
Critical Impact
Malicious ext4 images processed during boot can cause out-of-bounds heap reads and redirect storage access to attacker-controlled offsets.
Affected Products
- Pengutronix barebox versions prior to 2026.04.0
- Embedded Linux systems using barebox as the primary bootloader
- Devices that boot from removable media (USB, SD card) or network boot sources
Discovery Timeline
- 2026-05-11 - CVE-2026-34961 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-34961
Vulnerability Analysis
The vulnerability exists in the ext4 extent tree parser inside fs/ext4/ext4_common.c. The ext4 filesystem uses extent headers that contain an eh_entries field describing how many extent entries follow in the block. Barebox reads this attacker-controlled value from disk without comparing it to the actual buffer capacity.
When the parser iterates through eh_entries extents, it reads memory past the end of the allocated buffer. This produces heap out-of-bounds reads during boot-time filesystem traversal. Because extent records carry block pointers, the parser can also act on attacker-controlled offsets and redirect subsequent reads to arbitrary locations on the underlying storage device.
The impact is constrained to availability and storage integrity at boot, but it executes in the privileged bootloader context before the operating system loads. Additional details are available in the VulnCheck Advisory for Barebox.
Root Cause
The root cause is missing input validation. The ext4 extent header field eh_entries is consumed directly as a loop bound. The parser does not verify that eh_entries fits within the block size or the in-memory buffer holding the extent header. This is a classic [CWE-125] out-of-bounds read driven by untrusted filesystem metadata.
Attack Vector
Exploitation requires local delivery of a crafted ext4 image. An attacker presents the image through removable media such as USB or SD card, or through a network boot source that barebox is configured to load. No authentication or user interaction is required because boot-time parsing occurs automatically. The attack vector is therefore local and pre-OS, scoped to systems where barebox controls boot media selection.
No public proof-of-concept exploit is currently available. The vulnerability is not listed in the CISA KEV catalog. See the GitHub Repository for Barebox for source code context.
Detection Methods for CVE-2026-34961
Indicators of Compromise
- Unexpected boot failures, kernel panics, or reset loops on devices using barebox with attached removable media.
- Boot logs showing ext4 parsing errors, invalid extent headers, or aborted filesystem reads.
- Presence of unauthorized USB drives, SD cards, or unknown TFTP/NFS boot servers in the boot path.
Detection Strategies
- Inventory firmware versions across embedded fleets and flag any device running barebox below 2026.04.0.
- Capture barebox serial console output during boot and alert on ext4 parser warnings or unexpected extent counts.
- Validate cryptographic signatures or hashes of ext4 boot images before they are presented to barebox where secure boot chains permit.
Monitoring Recommendations
- Monitor physical access logs and USB/SD insertion events on production embedded systems.
- Centralize boot telemetry from embedded devices into a security data lake for anomaly review.
- Track barebox release announcements on the GitHub Release v2026.04.0 page for follow-up patches.
How to Mitigate CVE-2026-34961
Immediate Actions Required
- Upgrade barebox to version 2026.04.0 or later on all affected devices.
- Disable boot from untrusted removable media and network sources where operationally feasible.
- Restrict physical access to deployed embedded hardware to prevent malicious media insertion.
Patch Information
Pengutronix addressed the issue in barebox 2026.04.0. The release adds validation of the eh_entries field against the available buffer capacity in fs/ext4/ext4_common.c. Operators should rebuild and reflash bootloader images from the fixed release. Patch artifacts are published on the GitHub Release v2026.04.0 page.
Workarounds
- Configure barebox to boot only from signed or measured images using existing secure boot mechanisms.
- Remove ext4 from the supported boot filesystem list where another filesystem can be used.
- Lock down boot order so removable media is not consulted unless explicitly required for recovery.
# Verify installed barebox version and confirm it is at or above the fixed release
barebox-version # run from the barebox shell
# Expected output: 2026.04.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
