Primary

Context

barebox Denial-of-Service Vulnerability in ext4 Directory Parsing

Vulnerability

Patched

A denial-of-service vulnerability has been identified in barebox versions prior to 2026.04.0. The issue arises in the ext4 directory parsing within the file system code, specifically in the ext4fs_iterate_dir() function. This function does not properly validate the length of directory entries, allowing attackers to create a malicious ext4 filesystem image with a directory entry that has a zero-length value. When this crafted image is processed, it causes an infinite loop during directory listing or path resolution, effectively hanging the boot process indefinitely.

Impact

Exploitation of this vulnerability leads to an infinite loop, causing the boot process to hang indefinitely.

Remediation

Users can upgrade to barebox version 2026.04.0 or later to address this vulnerability.

Added: May 11, 2026, 11:22 PM

Updated: May 11, 2026, 11:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.7

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.7

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

barebox Denial-of-Service Vulnerability in ext4 Directory Parsing

Vulnerability

Impact

Remediation

Affected Products

barebox

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating