What is CVE-2026-33243?

CVE-2026-33243 is a high-severity vulnerability in Barebox, classified under Insufficient Verification of Data Authenticity. CVSS score: 8.3/10. Published 2026-03-20.

How severe is CVE-2026-33243?

High severity. CVSS v3 base score is 8.3 out of 10.

Vulnerability in Barebox

CVE-2026-33243

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting…

EPSS: 0.000 (0.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.3 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Barebox — versions >= 2016.03.0, < 2025.09.3, >= 2025.10.0, < 2026.03.1

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

References

https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4 (x_refsource_CONFIRM)
https://github.com/barebox/barebox/commit/aca01795056d51060cb096f9a1ea309361743e05 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33243?: CVE-2026-33243 is a high-severity vulnerability in Barebox, classified under Insufficient Verification of Data Authenticity. CVSS score: 8.3/10. Published 2026-03-20.
How severe is CVE-2026-33243?: High severity. CVSS v3 base score is 8.3 out of 10.