Is CVE-2026-33243 actively exploited?

CVE-2026-33243 has no public evidence of in-the-wild exploitation as of 2026-03-23.

What is the CVSS score for CVE-2026-33243?

CVE-2026-33243 has a CVSS score of 8.2 (HIGH severity). Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

How do I patch CVE-2026-33243?

Vendor patch guidance is linked from the references on this page. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-33243.

Which products are affected by CVE-2026-33243?

Affected products for CVE-2026-33243 are listed on this page once vendor data becomes available.

Fix CVE-2026-33243 - HIGH Vulnerability

Description

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2025.09.3 and from version 2025.10.0 to before version 2026.03.1, when creating a FIT, mkimage(1) sets the hashed-nodes property of the FIT signature node to list which nodes of the FIT were hashed as part of the signing process as these will need to be verified later on by the bootloader. However, hashed-nodes itself is not part of the hash and can therefore be modified by an attacker to trick the bootloader into booting different images than those that have been verified. This issue has been patched in barebox versions 2025.09.3 and 2026.03.1.

CVSS Metrics

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector: local
Complexity: low
Privileges: high
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-345

Metadata

Primary Vendor: UNKNOWN
Published: 3/20/2026
Last Modified: 3/23/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-33243

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary