Vulnerability Description
barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesystem image with a crafted directory entry containing a direntlen value of 0 to cause an infinite loop during directory listing or path resolution, resulting in the boot process hanging indefinitely.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pengutronix | Barebox | < 2026.04.0 |
Related Weaknesses (CWE)
References
- https://github.com/barebox/bareboxProduct
- https://github.com/barebox/barebox/releases/tag/v2026.04.0Release Notes
- https://www.vulncheck.com/advisories/barebox-ext4-directory-parsing-infinite-looThird Party Advisory
FAQ
What is CVE-2026-34962?
CVE-2026-34962 is a vulnerability with a CVSS score of 6.2 (MEDIUM). barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that director...
How severe is CVE-2026-34962?
CVE-2026-34962 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34962?
Check the references section above for vendor advisories and patch information. Affected products include: Pengutronix Barebox.