{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2026-46728","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","state":"PUBLISHED","assignerShortName":"mitre","dateReserved":"2026-05-16T21:26:48.876Z","datePublished":"2026-05-16T21:26:49.527Z","dateUpdated":"2026-05-16T22:24:18.071Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"U-Boot","vendor":"denx","versions":[{"lessThan":"2026.04","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-346","description":"CWE-346 Origin Validation Error","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2026-05-16T22:24:18.071Z"},"references":[{"url":"https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4"},{"url":"https://github.com/u-boot/u-boot/commit/2092322b31cc8b1f8c9e2e238d1043ae0637b241"}],"x_generator":{"engine":"CVE-Request-form 0.0.1"},"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*","versionEndExcluding":"2026.04"}]}]}]}},"dataVersion":"5.2"}