Executive Summary
Multiple critical vulnerabilities have been identified in the U-Boot bootloader’s FIT (Flattened Image Tree) signature verification code, most notably CVE-2026-46728 and several flaws tracked by Binarly (BRLY-2026-037 through BRLY-2026-042). These vulnerabilities allow attackers to bypass firmware signature verification, execute arbitrary code during the boot process, and install persistent, stealthy malware on a wide range of embedded Linux devices. The flaws are especially dangerous because exploitation occurs before the operating system loads, making detection extremely difficult and enabling attackers to establish deep persistence. While there are currently no confirmed public reports of exploitation in the wild, the attack surface is significant and proof-of-concept code is available in public research.
Technical Information
The most critical vulnerability, CVE-2026-46728, affects U-Boot versions prior to 2026.04. It allows a bypass of FIT (Flat Image Tree) signature verification due to the omission of the hashed-nodes field from the hash calculation. This origin validation error (CWE-346) enables attackers to craft malicious firmware images that are accepted as valid, even if unsigned or tampered with. The vulnerability has a CVSS 3.1 score of 8.2 (High), with a vector of AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability.
Binarly has also disclosed related flaws under identifiers BRLY-2026-037 through BRLY-2026-042, which include memory corruption, out-of-bounds reads, null pointer dereference, improper validation of external firmware data, and unbounded recursion leading to stack exhaustion. These issues can result in device crashes or arbitrary code execution during the boot process.
The attack surface includes enterprise servers (especially those with BMCs), networking equipment, industrial systems, IoT devices, and other appliances using U-Boot. Attackers can exploit these flaws locally (via physical access or removable media) or remotely if the device supports remote firmware updates, such as through management interfaces on BMCs.
Exploitation occurs before the operating system and its security controls load, allowing attackers to disable firmware security features, modify the boot process, and install persistent bootkits or rootkits. Such malware can survive OS reinstalls and evade most detection mechanisms, as malicious code runs before OS-level logging or monitoring is available.
Exploitation in the Wild
As of July 2026, there are no confirmed public reports of exploitation in the wild for CVE-2026-46728 or the related Binarly vulnerabilities. The CISA Known Exploited Vulnerabilities (KEV) catalog does not list this CVE, so there is no CISA-confirmed active exploitation. However, the attack surface is significant, and proof-of-concept code is referenced in Binarly’s research and the public U-Boot commit history. The technical details are sufficient for skilled attackers to develop their own exploits.
APT Groups using this vulnerability
There is no direct attribution of exploitation to any Advanced Persistent Threat (APT) groups as of this report. However, the nature of these flaws—pre-OS execution, supply chain risk, and impact on BMCs—aligns with the tactics, techniques, and procedures (TTPs) of groups such as APT41, APT28, and others known for firmware and supply chain attacks. These groups have historically targeted critical infrastructure, technology, and manufacturing sectors using similar bootkit and firmware-level persistence techniques, as mapped to MITRE ATT&CK T1542.002 (Boot or Logon Autostart Execution: Bootkit).
Affected Product Versions
The vulnerabilities affect U-Boot versions from 2013.07 up to (but not including) 2026.04. This includes all mainline releases and downstream vendor forks based on these versions. All products and devices using affected U-Boot code, including vendor-customized firmware, are vulnerable unless specifically patched. Organizations should consult their device vendors to confirm whether their firmware incorporates the vulnerable code and whether patches are available.
Workaround and Mitigation
The primary remediation is to upgrade to U-Boot version 2026.04 or later, or to apply vendor-supplied firmware updates that incorporate the upstream fixes. Organizations should coordinate with device vendors, as U-Boot is often integrated into vendor-specific firmware and may require vendor-specific updates. Devices that are no longer receiving updates remain at risk and should be isolated from critical networks or replaced. Additionally, organizations should implement hardware-based attestation or out-of-band monitoring to detect unauthorized firmware changes, as traditional endpoint security tools are ineffective against pre-OS threats.
Indicators of Compromise
The following table presents real-world indicators of compromise (IOCs) extracted from public sources. These IOCs are point-in-time and should be validated before enforcement in your environment.
Type | Indicator | Reported (date) | Source
|
Domain | www[.]binarly[.]io | 2026-05 | https://www.binarly.io/blog/unfit-to-boot-breaking-u-boots-fit-signature-verification |
Domain | www[.]reddit[.]com | 2026-07 | https://www.reddit.com/r/SecOpsDaily/comments/1ut1qok/new_uboot_flaws_could_enable_stealthy_firmware/ |
URL | hxxps://www[.]binarly[.]io/blog/unfit-to-boot-breaking-u-boots-fit-signature-verification | 2026-05 | https://www.binarly.io/blog/unfit-to-boot-breaking-u-boots-fit-signature-verification |
URL | hxxps://www[.]reddit[.]com/r/SecOpsDaily/comments/1ut1qok/new_uboot_flaws_could_enable_stealthy_firmware/ | 2026-07 | https://www.reddit.com/r/SecOpsDaily/comments/1ut1qok/new_uboot_flaws_could_enable_stealthy_firmware/ |
References
- BleepingComputer: New U-Boot flaws could enable stealthy firmware attacks
- Binarly Blog: Unfit to Boot: Breaking U-Boot's FIT Signature Verification
- NVD: CVE-2026-46728
- U-Boot Commit Fix
- Mallory.ai summary
- Reddit: SecOpsDaily discussion
Rescana is here for you
Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform that empowers organizations to continuously monitor, assess, and mitigate cybersecurity risks across their supply chain. Our platform delivers actionable intelligence and automated workflows to help you stay ahead of emerging threats and regulatory requirements. We are happy to answer any questions at info@rescana.com.



