DEV Community

Mark0
Mark0

Posted on

Dell BIOS Passwords: Weak XOR Encryption Allows Recovery from SPI Flash (CVE-2026-40639)

Security researchers have discovered a critical vulnerability in how various Dell client platforms store BIOS administrator passwords. Instead of using secure one-way hashes, these systems utilize a weak XOR-encryption scheme within the Dell Variable (DVAR) region of the SPI flash. Because the encryption key is only 20 bytes long while the password field is 32 bytes, the unused null-padding effectively leaks the encryption key. This allows for deterministic password recovery in milliseconds from a flash dump without requiring brute-force attacks.

The vulnerability, tracked as CVE-2026-40639, affects numerous legacy and some current-generation devices like the Wyse 5070. Attackers with physical access can extract the SPI flash content to bypass BIOS protections, potentially compromising Secure Boot and full disk encryption chains. While Dell has transitioned newer models to a more secure SHA-256 vault system (SIVB), many supported devices remain vulnerable until remediation is completed throughout late 2026.


Read Full Article

Top comments (0)