Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-33243

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.4%
CVSS Severity
CVSS v3 Score 8.2
Products affected by CVE-2026-33243
  • Denx » U-Boot » Version: 2013.07
    cpe:2.3:a:denx:u-boot:2013.07
  • Denx » U-Boot » Version: 2013.10
    cpe:2.3:a:denx:u-boot:2013.10
  • Denx » U-Boot » Version: 2014.01
    cpe:2.3:a:denx:u-boot:2014.01
  • Denx » U-Boot » Version: 2014.04
    cpe:2.3:a:denx:u-boot:2014.04
  • Denx » U-Boot » Version: 2014.07
    cpe:2.3:a:denx:u-boot:2014.07
  • Denx » U-Boot » Version: 2014.10
    cpe:2.3:a:denx:u-boot:2014.10
  • Denx » U-Boot » Version: 2015.01
    cpe:2.3:a:denx:u-boot:2015.01
  • Denx » U-Boot » Version: 2015.04
    cpe:2.3:a:denx:u-boot:2015.04
  • Denx » U-Boot » Version: 2015.07
    cpe:2.3:a:denx:u-boot:2015.07
  • Denx » U-Boot » Version: 2015.10
    cpe:2.3:a:denx:u-boot:2015.10
  • Denx » U-Boot » Version: 2016.01
    cpe:2.3:a:denx:u-boot:2016.01
  • Denx » U-Boot » Version: 2016.03
    cpe:2.3:a:denx:u-boot:2016.03
  • Denx » U-Boot » Version: 2016.05
    cpe:2.3:a:denx:u-boot:2016.05
  • Denx » U-Boot » Version: 2016.07
    cpe:2.3:a:denx:u-boot:2016.07
  • Denx » U-Boot » Version: 2016.09
    cpe:2.3:a:denx:u-boot:2016.09
  • Denx » U-Boot » Version: 2016.09.01
    cpe:2.3:a:denx:u-boot:2016.09.01
  • Denx » U-Boot » Version: 2016.11
    cpe:2.3:a:denx:u-boot:2016.11
  • Denx » U-Boot » Version: 2017.01
    cpe:2.3:a:denx:u-boot:2017.01
  • Denx » U-Boot » Version: 2017.03
    cpe:2.3:a:denx:u-boot:2017.03
  • Denx » U-Boot » Version: 2017.05
    cpe:2.3:a:denx:u-boot:2017.05
  • Denx » U-Boot » Version: 2017.07
    cpe:2.3:a:denx:u-boot:2017.07
  • Denx » U-Boot » Version: 2017.09
    cpe:2.3:a:denx:u-boot:2017.09
  • Denx » U-Boot » Version: 2017.11
    cpe:2.3:a:denx:u-boot:2017.11
  • Denx » U-Boot » Version: 2018.01
    cpe:2.3:a:denx:u-boot:2018.01
  • Denx » U-Boot » Version: 2018.03
    cpe:2.3:a:denx:u-boot:2018.03
  • Denx » U-Boot » Version: 2018.05
    cpe:2.3:a:denx:u-boot:2018.05
  • Denx » U-Boot » Version: 2018.07
    cpe:2.3:a:denx:u-boot:2018.07
  • Denx » U-Boot » Version: 2018.09
    cpe:2.3:a:denx:u-boot:2018.09
  • Denx » U-Boot » Version: 2018.11
    cpe:2.3:a:denx:u-boot:2018.11
  • Denx » U-Boot » Version: 2019.01
    cpe:2.3:a:denx:u-boot:2019.01
  • Denx » U-Boot » Version: 2019.04
    cpe:2.3:a:denx:u-boot:2019.04
  • Denx » U-Boot » Version: 2019.07
    cpe:2.3:a:denx:u-boot:2019.07
  • Denx » U-Boot » Version: 2019.10
    cpe:2.3:a:denx:u-boot:2019.10
  • Denx » U-Boot » Version: 2020.01
    cpe:2.3:a:denx:u-boot:2020.01
  • Denx » U-Boot » Version: 2020.04
    cpe:2.3:a:denx:u-boot:2020.04
  • Denx » U-Boot » Version: 2020.07
    cpe:2.3:a:denx:u-boot:2020.07
  • Denx » U-Boot » Version: 2020.10
    cpe:2.3:a:denx:u-boot:2020.10
  • Denx » U-Boot » Version: 2021.01
    cpe:2.3:a:denx:u-boot:2021.01
  • Denx » U-Boot » Version: 2021.04
    cpe:2.3:a:denx:u-boot:2021.04
  • Denx » U-Boot » Version: 2022.01
    cpe:2.3:a:denx:u-boot:2022.01
  • Denx » U-Boot » Version: 2022.04
    cpe:2.3:a:denx:u-boot:2022.04
  • Denx » U-Boot » Version: 2022.07
    cpe:2.3:a:denx:u-boot:2022.07
  • Denx » U-Boot » Version: 2022.10
    cpe:2.3:a:denx:u-boot:2022.10
  • Denx » U-Boot » Version: 2023.01
    cpe:2.3:a:denx:u-boot:2023.01
  • Denx » U-Boot » Version: 2023.04
    cpe:2.3:a:denx:u-boot:2023.04
  • Denx » U-Boot » Version: 2023.07
    cpe:2.3:a:denx:u-boot:2023.07
  • Denx » U-Boot » Version: 2023.07.02
    cpe:2.3:a:denx:u-boot:2023.07.02
  • Denx » U-Boot » Version: 2023.10
    cpe:2.3:a:denx:u-boot:2023.10
  • Denx » U-Boot » Version: 2024.01
    cpe:2.3:a:denx:u-boot:2024.01
  • Denx » U-Boot » Version: 2024.04
    cpe:2.3:a:denx:u-boot:2024.04
  • Denx » U-Boot » Version: 2024.07
    cpe:2.3:a:denx:u-boot:2024.07
  • Denx » U-Boot » Version: 2024.10
    cpe:2.3:a:denx:u-boot:2024.10
  • Denx » U-Boot » Version: 2025.01
    cpe:2.3:a:denx:u-boot:2025.01
  • Denx » U-Boot » Version: 2025.04
    cpe:2.3:a:denx:u-boot:2025.04
  • Denx » U-Boot » Version: 2025.07
    cpe:2.3:a:denx:u-boot:2025.07
  • Denx » U-Boot » Version: 2025.10
    cpe:2.3:a:denx:u-boot:2025.10
  • Denx » U-Boot » Version: 2026.01
    cpe:2.3:a:denx:u-boot:2026.01
  • Denx » U-Boot » Version: 2026.04
    cpe:2.3:a:denx:u-boot:2026.04
  • Pengutronix » Barebox » Version: Any
    cpe:2.3:a:pengutronix:barebox:*
  • Pengutronix » Barebox » Version: 2016.03.0
    cpe:2.3:a:pengutronix:barebox:2016.03.0
  • Pengutronix » Barebox » Version: 2016.04.0
    cpe:2.3:a:pengutronix:barebox:2016.04.0
  • Pengutronix » Barebox » Version: 2016.05.0
    cpe:2.3:a:pengutronix:barebox:2016.05.0
  • Pengutronix » Barebox » Version: 2016.06.0
    cpe:2.3:a:pengutronix:barebox:2016.06.0
  • Pengutronix » Barebox » Version: 2016.07.0
    cpe:2.3:a:pengutronix:barebox:2016.07.0
  • Pengutronix » Barebox » Version: 2016.08.0
    cpe:2.3:a:pengutronix:barebox:2016.08.0
  • Pengutronix » Barebox » Version: 2016.09.0
    cpe:2.3:a:pengutronix:barebox:2016.09.0
  • Pengutronix » Barebox » Version: 2016.10.0
    cpe:2.3:a:pengutronix:barebox:2016.10.0
  • Pengutronix » Barebox » Version: 2016.11.0
    cpe:2.3:a:pengutronix:barebox:2016.11.0
  • Pengutronix » Barebox » Version: 2017.01.0
    cpe:2.3:a:pengutronix:barebox:2017.01.0
  • Pengutronix » Barebox » Version: 2017.02.0
    cpe:2.3:a:pengutronix:barebox:2017.02.0
  • Pengutronix » Barebox » Version: 2017.03.0
    cpe:2.3:a:pengutronix:barebox:2017.03.0
  • Pengutronix » Barebox » Version: 2017.04.0
    cpe:2.3:a:pengutronix:barebox:2017.04.0
  • Pengutronix » Barebox » Version: 2017.05.0
    cpe:2.3:a:pengutronix:barebox:2017.05.0
  • Pengutronix » Barebox » Version: 2017.05.1
    cpe:2.3:a:pengutronix:barebox:2017.05.1
  • Pengutronix » Barebox » Version: 2017.05.2
    cpe:2.3:a:pengutronix:barebox:2017.05.2
  • Pengutronix » Barebox » Version: 2017.05.3
    cpe:2.3:a:pengutronix:barebox:2017.05.3
  • Pengutronix » Barebox » Version: 2017.05.4
    cpe:2.3:a:pengutronix:barebox:2017.05.4
  • Pengutronix » Barebox » Version: 2017.06.0
    cpe:2.3:a:pengutronix:barebox:2017.06.0
  • Pengutronix » Barebox » Version: 2017.06.1
    cpe:2.3:a:pengutronix:barebox:2017.06.1
  • Pengutronix » Barebox » Version: 2017.06.2
    cpe:2.3:a:pengutronix:barebox:2017.06.2
  • Pengutronix » Barebox » Version: 2017.07.0
    cpe:2.3:a:pengutronix:barebox:2017.07.0
  • Pengutronix » Barebox » Version: 2017.07.1
    cpe:2.3:a:pengutronix:barebox:2017.07.1
  • Pengutronix » Barebox » Version: 2017.08.0
    cpe:2.3:a:pengutronix:barebox:2017.08.0
  • Pengutronix » Barebox » Version: 2017.09.0
    cpe:2.3:a:pengutronix:barebox:2017.09.0
  • Pengutronix » Barebox » Version: 2017.10.0
    cpe:2.3:a:pengutronix:barebox:2017.10.0
  • Pengutronix » Barebox » Version: 2017.11.0
    cpe:2.3:a:pengutronix:barebox:2017.11.0
  • Pengutronix » Barebox » Version: 2017.12.0
    cpe:2.3:a:pengutronix:barebox:2017.12.0
  • Pengutronix » Barebox » Version: 2018.01.0
    cpe:2.3:a:pengutronix:barebox:2018.01.0
  • Pengutronix » Barebox » Version: 2018.02.0
    cpe:2.3:a:pengutronix:barebox:2018.02.0
  • Pengutronix » Barebox » Version: 2018.03.0
    cpe:2.3:a:pengutronix:barebox:2018.03.0
  • Pengutronix » Barebox » Version: 2018.04.0
    cpe:2.3:a:pengutronix:barebox:2018.04.0
  • Pengutronix » Barebox » Version: 2018.05.0
    cpe:2.3:a:pengutronix:barebox:2018.05.0
  • Pengutronix » Barebox » Version: 2018.06.0
    cpe:2.3:a:pengutronix:barebox:2018.06.0
  • Pengutronix » Barebox » Version: 2018.07.0
    cpe:2.3:a:pengutronix:barebox:2018.07.0
  • Pengutronix » Barebox » Version: 2018.07.1
    cpe:2.3:a:pengutronix:barebox:2018.07.1
  • Pengutronix » Barebox » Version: 2018.07.2
    cpe:2.3:a:pengutronix:barebox:2018.07.2
  • Pengutronix » Barebox » Version: 2018.08.0
    cpe:2.3:a:pengutronix:barebox:2018.08.0
  • Pengutronix » Barebox » Version: 2018.09.0
    cpe:2.3:a:pengutronix:barebox:2018.09.0
  • Pengutronix » Barebox » Version: 2018.10.0
    cpe:2.3:a:pengutronix:barebox:2018.10.0
  • Pengutronix » Barebox » Version: 2018.11.0
    cpe:2.3:a:pengutronix:barebox:2018.11.0
  • Pengutronix » Barebox » Version: 2018.12.0
    cpe:2.3:a:pengutronix:barebox:2018.12.0
  • Pengutronix » Barebox » Version: 2018.8.1
    cpe:2.3:a:pengutronix:barebox:2018.8.1
  • Pengutronix » Barebox » Version: 2019.01.0
    cpe:2.3:a:pengutronix:barebox:2019.01.0
  • Pengutronix » Barebox » Version: 2019.02.0
    cpe:2.3:a:pengutronix:barebox:2019.02.0
  • Pengutronix » Barebox » Version: 2019.03.0
    cpe:2.3:a:pengutronix:barebox:2019.03.0
  • Pengutronix » Barebox » Version: 2019.04.0
    cpe:2.3:a:pengutronix:barebox:2019.04.0
  • Pengutronix » Barebox » Version: 2019.05.0
    cpe:2.3:a:pengutronix:barebox:2019.05.0
  • Pengutronix » Barebox » Version: 2019.06.0
    cpe:2.3:a:pengutronix:barebox:2019.06.0
  • Pengutronix » Barebox » Version: 2019.06.1
    cpe:2.3:a:pengutronix:barebox:2019.06.1
  • Pengutronix » Barebox » Version: 2019.07.0
    cpe:2.3:a:pengutronix:barebox:2019.07.0
  • Pengutronix » Barebox » Version: 2019.08.0
    cpe:2.3:a:pengutronix:barebox:2019.08.0
  • Pengutronix » Barebox » Version: 2019.08.1
    cpe:2.3:a:pengutronix:barebox:2019.08.1
  • Pengutronix » Barebox » Version: 2020.05.0
    cpe:2.3:a:pengutronix:barebox:2020.05.0
  • Pengutronix » Barebox » Version: 2021.07.0
    cpe:2.3:a:pengutronix:barebox:2021.07.0


Products
Pricing
Contact Us

Shodan ® - All rights reserved