barebox Heap Buffer Overflow Vulnerability in EFI PE Loader Allowing Code Execution

A heap buffer overflow vulnerability has been identified in barebox versions prior to 2026.04.0. This issue arises from multiple memory-safety vulnerabilities in the EFI PE loader, specifically in the file efi/loader/pe.c. The vulnerability is caused by an integer overflow in the computation of virtual image size, which is handled using 32-bit arithmetic on section VirtualAddress and size values. This overflow allows for undersized heap allocations. Additionally, the PE section loading logic fails to properly validate that PointerToRawData plus the copied size remains within the bounds of the PE file buffer. An attacker can exploit this vulnerability by supplying a malicious EFI PE binary through TFTP, USB, SD card, or network boot. This could lead to an out-of-bounds read from heap memory or a heap buffer overflow, potentially allowing for code execution within the context of the bootloader.

Impact

Exploitation of this vulnerability can result in a heap buffer overflow or an out-of-bounds read from heap memory, with the potential for code execution in the context of the bootloader.

Remediation

Users can upgrade to barebox version 2026.04.0 or later to address this vulnerability.