{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6862", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-22T13:19:59.764Z", "datePublished": "2026-04-22T13:45:45.503Z", "dateUpdated": "2026-04-22T14:28:14.132Z"}, "containers": {"cna": {"title": "Efivar: efivar: denial of service due to stack overflow in device path node parsing", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS)."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "efivar", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "efivar", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "efivar", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "efivar", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6862", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459982", "name": "RHBZ#2459982", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-09T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "description": "Uncontrolled Recursion", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-674: Uncontrolled Recursion", "workarounds": [{"lang": "en", "value": "Applications using efi_loadopt_is_valid() should validate the size of the input buffer before passing it to libefiboot. As a library-level fix, the device path iterator should enforce a minimum node Length of 4 before recursing:\n\n if (dp->length < 4)\n return -1;"}], "timeline": [{"lang": "en", "time": "2026-04-09T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-09T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Mathis Huron (Oteria Cyber School, FuzzingLabs) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-22T13:45:45.503Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:28:03.007164Z", "id": "CVE-2026-6862", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:28:14.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:28:03.007164Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:28:06.496Z"}}], "cna": {"title": "Efivar: efivar: denial of service due to stack overflow in device path node parsing", "credits": [{"lang": "en", "value": "Red Hat would like to thank Mathis Huron (Oteria Cyber School, FuzzingLabs) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "efivar", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "efivar", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "efivar", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "efivar", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2026-04-09T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-09T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-09T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6862", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459982", "name": "RHBZ#2459982", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Applications using efi_loadopt_is_valid() should validate the size of the input buffer before passing it to libefiboot. As a library-level fix, the device path iterator should enforce a minimum node Length of 4 before recursing:\n\n if (dp->length < 4)\n return -1;"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-22T13:45:45.503Z"}, "x_redhatCweChain": "CWE-674: Uncontrolled Recursion"}}, "cveMetadata": {"cveId": "CVE-2026-6862", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:28:14.132Z", "dateReserved": "2026-04-22T13:19:59.764Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-22T13:45:45.503Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS)."}], "id": "CVE-2026-6862", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-22T14:17:08.060", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-6862"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459982"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Mathis Huron (Oteria Cyber School, FuzzingLabs) for reporting this issue.", "bugzilla": {"description": "efivar: efivar: Denial of Service due to stack overflow in device path node parsing", "id": "2459982", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459982"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-674", "details": ["A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS)."], "mitigation": {"lang": "en:us", "value": "Applications using efi_loadopt_is_valid() should validate the size of the input buffer before passing it to libefiboot. As a library-level fix, the device path iterator should enforce a minimum node Length of 4 before recursing:\nif (dp->length < 4)\nreturn -1;"}, "name": "CVE-2026-6862", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Under investigation", "package_name": "efivar", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "efivar", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "efivar", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "efivar", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6862\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6862"], "statement": "Moderate impact. A stack overflow vulnerability in `libefiboot` (part of `efivar`) can lead to a process crash due to unbounded recursion when parsing a specially crafted device path node. This flaw affects Red Hat Enterprise Linux 8, 9, and 10, as well as Fedora and OpenShift Container Platform.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "openshift", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Red Hat OpenShift Container Platform 4", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_container_platform", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-22T19:20:10.165792+00:00", "value": {"mitigation_remediation": ["Install the latest Red\u00a0Hat package update for libefiboot that includes the node length validation fix for RHEL\u00a07\u00a0through\u00a010 and OpenShift\u00a04.", "If no update is available yet, modify applications that call efi_loadopt_is_valid() to validate the size of the input buffer before requesting libefiboot to process it.", "At the library level, patch libefiboot so that the device path iterator checks that each node\u2019s Length field is at least 4 bytes and returns an error if it is not to prevent stack exhaustion."], "summary": {"action": "Apply Workaround", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects multiple Red\u00a0Hat products, including Red\u00a0Hat Enterprise Linux 10, 7, 8, 9 and Red\u00a0Hat OpenShift Container Platform 4.", "description_and_impact": "A flaw in libefiboot, a component of efivar, occurs when the device path node parser fails to ensure that each node\u2019s Length field is at least 4 bytes, the minimum size for an EFI device path node header. This defect allows a specially crafted device path node to trigger infinite recursion, exhausting the stack and crashing the process. The resultant denial of service can cripple applications that depend on efivar and may impact system stability if the crashed process is critical.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a local user able to supply a crafted device path node, so the attack vector is inferred to be local. No remote or privilege\u2011escalation vector is documented. Given the moderate score and local nature, the risk is present but limited to systems that run vulnerable versions of libefiboot and accept handcrafted device paths."}}}}, "created": "2026-04-22T19:30:24.745789+00:00", "updated": "2026-04-27T20:21:03.621688+00:00", "vendors": ["redhat", "redhat$PRODUCT$enterprise_linux", "redhat$PRODUCT$openshift", "redhat$PRODUCT$openshift_container_platform"]}