Vulnerability Description
RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in a signature which covers only the first few bytes of the payload. Given such a bundle with a legitimate signature, an attacker can modify the part of the payload which is not covered by the signature. This issue has been patched in version 1.15.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pengutronix | Rauc | < 1.15.2 |
Related Weaknesses (CWE)
References
- https://github.com/rauc/rauc/commit/4fb7c798d6ae412344fb8f8d310d773046af3441Patch
- https://github.com/rauc/rauc/releases/tag/v1.15.2Release Notes
- https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hxMitigationPatchVendor Advisory
FAQ
What is CVE-2026-34155?
CVE-2026-34155 is a vulnerability with a CVSS score of 5.3 (MEDIUM). RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in ...
How severe is CVE-2026-34155?
CVE-2026-34155 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34155?
Check the references section above for vendor advisories and patch information. Affected products include: Pengutronix Rauc.