Primary

Context

barebox Out-of-Bounds Read Vulnerability in ext4 Parsing

Vulnerability

Patched

A heap-based out-of-bounds read vulnerability has been identified in barebox versions prior to 2026.04.0. This issue arises in the ext4 extent parsing within the file 'fs/ext4/ext4_common.c', where the 'eh_entries' field is not properly validated against the buffer capacity. As a result, attackers can exploit this vulnerability by supplying a malicious ext4 filesystem image through USB, SD card, or network boot. The exploitation occurs during the boot-time filesystem parsing, potentially allowing arbitrary reads from the disk.

Impact

Exploitation of this vulnerability leads to heap out-of-bounds reads, which can be manipulated to redirect memory reads to arbitrary disk offsets.

Remediation

Users can upgrade to barebox version 2026.04.0 or later to address this vulnerability.

Added: May 11, 2026, 10:45 PM

Updated: May 11, 2026, 10:45 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.3

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.3

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

barebox Out-of-Bounds Read Vulnerability in ext4 Parsing

Vulnerability

Impact

Remediation

Affected Products

barebox

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating