{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35170", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-06T18:59:04.770Z", "dateUpdated": "2026-04-07T15:10:56.071Z"}, "containers": {"cna": {"title": "openFPGALoader has a heap buffer overflow in BitParser::parseHeader() via crafted .bit file", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x"}], "affected": [{"vendor": "trabucayre", "product": "openFPGALoader", "versions": [{"version": "<= 1.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T18:59:04.770Z"}, "descriptions": [{"lang": "en", "value": "openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability."}], "source": {"advisory": "GHSA-v59x-fvpj-j22x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:10:46.780270Z", "id": "CVE-2026-35170", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:10:56.071Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35170", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T15:10:46.780270Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:10:52.419Z"}}], "cna": {"title": "openFPGALoader has a heap buffer overflow in BitParser::parseHeader() via crafted .bit file", "source": {"advisory": "GHSA-v59x-fvpj-j22x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "trabucayre", "product": "openFPGALoader", "versions": [{"status": "affected", "version": "<= 1.1.1"}]}], "references": [{"url": "https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x", "name": "https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T18:59:04.770Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35170", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:10:56.071Z", "dateReserved": "2026-04-01T17:26:21.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T18:59:04.770Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trabucayre:openfpgaloader:*:*:*:*:*:*:*:*", "matchCriteriaId": "62581179-C886-4DE6-B888-53C8E5509FBA", "versionEndIncluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when parsing a crafted .bit file. No FPGA hardware is required to trigger this vulnerability."}], "id": "CVE-2026-35170", "lastModified": "2026-04-28T17:07:12.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:25.450", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/trabucayre/openFPGALoader/security/advisories/GHSA-v59x-fvpj-j22x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "openFPGALoader", "source": "cna", "vendor": "trabucayre"}, "product": "openfpgaloader", "vendor": "trabucayre"}], "analysis": {"en": {"generated_at": "2026-04-07T01:41:36.347089+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of openFPGALoader that removes the heap\u2011buffer\u2011overflow read in BitParser::parseHeader()", "Avoid loading or parsing .bit files from untrusted sources until a patch is applied", "Monitor the trabucayre GitHub repository or security advisories for further updates or patches"], "summary": {"action": "Patch", "impact": "Heap buffer overflow read vulnerability (out\u2011of\u2011bounds heap read)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the trabucayre openFPGALoader utility. Versions 1.1.1 and prior are impacted. Any system running those versions, regardless of whether FPGA hardware is connected, is susceptible to the flaw because the heap read occurs during file parsing.", "description_and_impact": "openFPGALoader, a tool for programming FPGAs, contains a heap\u2011buffer\u2011overflow read in BitParser::parseHeader(). When the program parses a specially crafted .bit file, it can read memory beyond intended bounds. The flaw is a read\u2011only out\u2011of\u2011bounds access; the description does not indicate code execution, but the vulnerability could allow an attacker to reveal sensitive memory contents.", "risk_and_exploitability": "The CVSS score of 7.1 suggests moderate\u2011to\u2011high risk. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is local or remote file\u2011processing; an attacker who can supply a malicious .bit file to the vulnerable program can trigger the out\u2011of\u2011bounds read. No specific hardware or additional conditions are required to exploit the flaw. The impact is primarily information disclosure of arbitrary heap data, potentially leading to further attacks if the information is valuable."}}}}, "created": "2026-04-07T06:54:39.302457+00:00", "updated": "2026-04-07T09:37:43.266911+00:00", "vendors": ["trabucayre", "trabucayre$PRODUCT$openfpgaloader"]}