CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54333

criticalCVSS 9.8covered by 1 sourcefirst seen 2026-04-16
uefi-firmware contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefi_firmware/compression/Tiano/Decompress.c, MakeTable() does not validate that bit-length values read from the compressed bitstream are within the expected range (0..16). a crafted firmware blob can supply bit lengths greater than 16, causing out-of-bounds writes to the stack-allocated Count[17] array and related decode tables. reachability is through the normal parsing path: CompressedSection.process() -> efi_compressor.TianoDecompress() -> TianoDecompress() -> ReadPTLen() -> MakeTable(). Minimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class. References: - PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145> - fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e> - upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735

⚡ Watch CVE-2026-54333

Get an email if CVE-2026-54333 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-54333

CVE.org record

Embed the live status

CVE-2026-54333 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54333 status](https://www.csirts.com/badge/CVE-2026-54333)](https://www.csirts.com/cve/CVE-2026-54333)