CVE-2026-6862 PUBLISHED

Efivar: efivar: denial of service due to stack overflow in device path node parsing

Assigner: redhat
Reserved: 22.04.2026 Published: 22.04.2026 Updated: 22.04.2026

A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS Score: 5.5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4
Versions	Default: unknown

Workarounds

Applications using efi_loadopt_is_valid() should validate the size of the input buffer before passing it to libefiboot. As a library-level fix, the device path iterator should enforce a minimum node Length of 4 before recursing:

if (dp->length < 4) return -1;

Credits

Red Hat would like to thank Mathis Huron (Oteria Cyber School, FuzzingLabs) for reporting this issue.

References

Problem Types

Uncontrolled Recursion CWE