#1134691 efivar: CVE-2026-6862

Package:
src:efivar
Source:
src:efivar
Submitter:
Salvatore Bonaccorso
Date:
2026-04-23 07:49:02 UTC
Severity:
normal
Tags:
#1134691#5
Date:
2026-04-23 07:46:26 UTC
From:
To:
Hi,

The following vulnerability was published for efivar.

CVE-2026-6862[0]:
| A flaw was found in libefiboot, a component of efivar. The device
| path node parser in libefiboot fails to validate that each node's
| Length field is at least 4 bytes, which is the minimum size for an
| EFI (Extensible Firmware Interface) device path node header. A local
| user could exploit this vulnerability by providing a specially
| crafted device path node. This can lead to infinite recursion,
| causing stack exhaustion and a process crash, resulting in a denial
| of service (DoS).

When I checked htere was not yet an issue opened as well on the
upstream project afaict.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-6862
https://www.cve.org/CVERecord?id=CVE-2026-6862
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2459982

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore