CVE-2026-34961

MEDIUM 6.2

barebox ext4 Extent Parsing Out-of-Bounds Read

CVSS Score

6.2

EPSS Score

0.0%

EPSS Percentile

2th

barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.

CWE	CWE-125
Vendor	barebox
Product	barebox
Published	May 11, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for barebox barebox

Be the first to know when new medium vulnerabilities affecting barebox barebox are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

barebox / barebox

0 ≤ 2026.04.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/barebox/barebox github.com: https://github.com/barebox/barebox/releases/tag/v2026.04.0 vulncheck.com: https://www.vulncheck.com/advisories/barebox-ext4-extent-parsing-out-of-bounds-read

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.