Critical U-Boot FIT Signature Verification Vulnerabilities (CVE-2026-46728) Expose Embedded Linux Devices to Stealthy Firmware Attacks – Rescana

Critical U-Boot FIT Signature Verification Vulnerabilities (CVE-2026-46728) Expose Embedded Linux Devices to Stealthy Firmware Attacks – Rescana

Critical U-Boot FIT Signature Verification Vulnerabilities (CVE-2026-46728) Expose Embedded Linux Devices to Stealthy Firmware Attacks – Rescana

https://www.rescana.com/post/critical-u-boot-fit-signature-verification-vulnerabilities-cve-2026-46728-expose-embedded-linux-devices-to-stealthy-firm

Publish Date: 2026-07-12 07:12:00

Source Domain: www.rescana.com

Executive Summary

Multiple critical vulnerabilities have been identified in the U-Boot bootloader’s FIT (Flattened Image Tree) signature verification code, most notably CVE-2026-46728 and several flaws tracked by Binarly (BRLY-2026-037 through BRLY-2026-042). These vulnerabilities allow attackers to bypass firmware signature verification, execute arbitrary code during the boot process, and install persistent, stealthy malware on a wide range of embedded Linux devices. The flaws are especially dangerous because exploitation occurs before the operating system loads, making detection extremely difficult and enabling attackers to establish deep persistence. While there are currently no confirmed public reports of exploitation in the wild, the attack surface is significant and proof-of-concept code is available in public research.

Technical Information

The most critical vulnerability, CVE-2026-46728, affects U-Boot versions prior to 2026.04. It allows a bypass of FIT (Flat Image Tree) signature verification due to the omission of the hashed-nodes field from the hash calculation. This origin validation error (CWE-346) enables attackers to craft malicious firmware images that are accepted as valid, even if unsigned or tampered with. The vulnerability has a CVSS 3.1 score of 8.2 (High), with a vector of AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability.

Binarly has also disclosed related flaws under identifiers BRLY-2026-037 through BRLY-2026-042, which include memory corruption, out-of-bounds reads, null pointer dereference, improper validation of external firmware data, and unbounded recursion leading to stack exhaustion. These issues can result in device crashes or arbitrary code execution during the boot process.

The attack surface includes enterprise servers (especially those with BMCs), networking equipment, industrial systems, IoT devices, and other appliances using U-Boot. Attackers can exploit these…

Source