Every CVE whose affected-product data names Pengutronix Barebox, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (10)
CVE-2019-15937 — CVSS 9.8 (critical): Pengutronix barebox through 2019.08.1 has a remote buffer overflow in nfs_readlink_reply in net/nfs.c because a length field is directly…
CVE-2019-15938 — CVSS 9.8 (critical): Pengutronix barebox through 2019.08.1 has a remote buffer overflow in nfs_readlink_req in fs/nfs.c because a length field is directly used…
CVE-2020-13910 — CVSS 9.1 (critical): Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nfs_read_reply in net/nfs.c because a field of an incoming network…
CVE-2026-34963 — CVSS 8.4 (high): barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer…
CVE-2026-33243 — CVSS 8.2 (high): barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an…
CVE-2021-37848 — CVSS 7.5 (high): common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison.
CVE-2021-37847 — CVSS 7.5 (high): crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest verification.
CVE-2026-34960 — CVSS 6.5 (medium): barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type()…
CVE-2026-34961 — CVSS 6.2 (medium): barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the…
CVE-2026-34962 — CVSS 6.2 (medium): barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the…