CVE-2026-33243 is a vulnerability in the barebox bootloader’s FIT image signing and verification workflow. In affected versions, mkimage populates the FIT signature node’s hashed-nodes property to indicate which FIT nodes were included in the signature calculation and therefore should be verified during boot. However, the hashed-nodes property itself is not covered by the cryptographic hash. Because this metadata remains mutable after signing, an attacker can alter it so the bootloader validates a signed configuration while subsequently selecting and booting different image components than those actually covered by the signature. This breaks the integrity guarantees expected from FIT signature verification and undermines secure boot assumptions for affected barebox deployments.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An earlier U-Boot signature-verification flaw in which unsigned metadata describing covered components allowed tampered image parts to evade verification.
A previously disclosed vulnerability in U-Boot FIT signature verification logic mentioned as prior related research context.
A vulnerability in barebox FIT image signing/verification where the hashed-nodes property is not itself covered by the hash, allowing an attacker to alter it and potentially cause the bootloader to boot images different from those actually verified.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.