CVE-2026-46728

NameCVE-2026-46728
DescriptionDas U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4642-1
Debian Bugs1136954

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
u-boot (PTS)bullseye2021.01+dfsg-5vulnerable
bullseye (security)2021.01+dfsg-5+deb11u3fixed
bookworm2023.01+dfsg-2+deb12u2vulnerable
bookworm (security)2023.01+dfsg-2+deb12u3fixed
trixie2025.01-3vulnerable
forky, sid2025.01-3.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
u-bootsourcebullseye2021.01+dfsg-5+deb11u3DLA-4642-1
u-bootsourcebookworm2023.01+dfsg-2+deb12u3DLA-4642-1
u-bootsource(unstable)2025.01-3.21136954

Notes

[trixie] - u-boot <no-dsa> (Minor issue)
Fixed by: https://github.com/u-boot/u-boot/commit/2092322b31cc8b1f8c9e2e238d1043ae0637b241 (v2026.04-rc4)
Search for package or bug name: Reporting problems