CVE-2026-34963: barebox EFI PE Loader Memory Safety Flaws

/HIGH /CVSS 8.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-190
CVE-2026-34963: barebox EFI PE Loader Memory Safety Flaws

The National Vulnerability Database has detailed CVE-2026-34963, a critical vulnerability affecting barebox versions prior to 2026.04.0. This flaw resides within the EFI PE loader (efi/loader/pe.c) and stems from multiple memory-safety issues. Specifically, an integer overflow during virtual image size computation, relying on 32-bit arithmetic for section VirtualAddress and size values, leads to undersized heap allocations. Furthermore, the PE section loading logic fails to validate that PointerToRawData plus the copied size remains within the PE file buffer.

These vulnerabilities create a dangerous attack vector. An attacker can craft and supply a malicious EFI PE binary through various means, including TFTP, USB, SD card, or network boot. This malicious input can trigger heap buffer overflows or out-of-bounds reads from heap memory. The primary concern here is the potential for arbitrary code execution within the highly privileged bootloader context.

The CVSSv3.1 score for CVE-2026-34963 is 8.4 (HIGH), reflecting its severe impact. The attack vector is local (AV:L), but requires no privileges (PR:N) and no user interaction (UI:N), making exploitation straightforward once a malicious binary is introduced into the boot process. Successful exploitation grants high confidentiality, integrity, and availability impact (C:H/I:H/A:H), underscoring the critical need for immediate patching.

What This Means For You

  • If your organization utilizes barebox in its embedded systems or boot processes, you need to prioritize patching immediately. This isn't just a crash risk; it's a direct path to code execution in the bootloader. An attacker owning the bootloader effectively owns the entire system, bypassing higher-level security controls. Verify all barebox installations are updated to version 2026.04.0 or later to mitigate CVE-2026-34963.

Related ATT&CK Techniques

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence T1078.004 Valid Accounts: LNK Initial Access T1059.001 Command and Scripting Interpreter: PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1547.001 Persistence

CVE-2026-34963: Barebox EFI PE Loader Heap Overflow via Malicious EFI Binary

Sigma YAML — free preview 
title: CVE-2026-34963: Barebox EFI PE Loader Heap Overflow via Malicious EFI Binary
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  This rule detects potential exploitation of CVE-2026-34963 by identifying processes attempting to load EFI PE binaries within the barebox EFI loader context, specifically referencing the vulnerable 'pe.c' file. This indicates an attempt to leverage the memory safety flaws for code execution during the boot process.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-34963/
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - '/efi/loader/'
      CommandLine|contains:
          - 'pe.c'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-34963 Memory Corruption barebox version prior to 2026.04.0
CVE-2026-34963 Buffer Overflow efi/loader/pe.c - integer overflow in virtual image size computation
CVE-2026-34963 Out-of-Bounds Read efi/loader/pe.c - PE section loading logic fails to validate PointerToRawData
CVE-2026-34963 RCE Malicious EFI PE binary via TFTP, USB, SD card, or network boot

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 02:19 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8349 — Omec-Project Amf Vulnerability

CVE-2026-8349 — A flaw has been found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGAP Message Handler. Executing...

vulnerabilityCVEmedium-severitycwe-119
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-8346 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8346 — A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ip_address results in command...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 5 Sigma