Notification about FIT Signature Bypass Vulnerability
Ahmad Fatoum
a.fatoum at pengutronix.de
Tue Mar 17 12:09:38 PDT 2026
On 2026-03-02, a patch was first posted to the U-Boot mailing list to
fix a FIT security vulnerability that had been disclosed privately by
Apple Security Engineering and Architecture.
This vulnerability has been fixed in barebox v2026.03.1 and U-Boot
v2026.04-rc4 in the meantime.
More details can be found in the linked advisory:
https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4
A CVE number has been requested.
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list