CVE-2026-24795 is a medium-severity vulnerability classified as CWE-787 (Out-of-bounds Write) found in the CloverHackyColor CloverBootloader, specifically within the Oniguruma regular expression modules implemented in the MdeModulePkg/Universal/RegularExpressionDxe component. The vulnerability arises from improper bounds checking in the regcomp.C source files, allowing an attacker with local access to cause an out-of-bounds write during the bootloader's execution phase. This memory corruption can lead to unpredictable behavior including potential data corruption or system instability. The affected versions include all builds prior to 5162. The CVSS 4.0 vector indicates the attack requires local access (AV:L), no privileges (PR:N), no user interaction (UI:N), and results in low impact on availability but impacts confidentiality and integrity to some extent. The vulnerability does not require authentication and does not affect system confidentiality or integrity at a high level but can compromise the boot process's reliability. No public exploits or active exploitation have been reported to date. The vulnerability is significant in environments where CloverBootloader is used to initialize hardware and load operating systems, particularly in custom or legacy UEFI implementations. Since the bootloader operates at a low level, exploitation could potentially undermine system trustworthiness or lead to denial of service during boot. The lack of patches at the time of reporting necessitates cautious monitoring and prompt application of updates once released.

For European organizations, the impact of CVE-2026-24795 depends largely on the deployment of CloverBootloader in their infrastructure. Organizations using CloverBootloader in embedded systems, custom hardware, or legacy UEFI environments may face risks of system instability or data corruption during boot, potentially causing downtime or loss of system integrity. While the vulnerability does not appear to allow remote exploitation or privilege escalation, local attackers or insiders could exploit it to disrupt system operations. This could be particularly impactful in critical infrastructure sectors such as manufacturing, telecommunications, or government systems that rely on secure and stable boot processes. The medium severity rating reflects moderate risk; however, the bootloader's foundational role means any compromise could cascade into broader system trust issues. European entities with stringent compliance requirements for system integrity and availability may find this vulnerability a compliance risk if unmitigated. The absence of known exploits reduces immediate threat but does not eliminate future risk. Therefore, organizations should prioritize identifying affected systems and plan for timely remediation to maintain operational security.

To mitigate CVE-2026-24795, European organizations should: 1) Inventory all systems and devices using CloverHackyColor CloverBootloader, focusing on versions prior to build 5162. 2) Monitor vendor communications for official patches or updates addressing this vulnerability and apply them promptly once available. 3) Where patching is not immediately possible, implement strict access controls to limit local access to trusted personnel only, reducing the risk of exploitation. 4) Conduct security audits of bootloader configurations and usage to identify unnecessary exposure or legacy systems that can be upgraded or replaced. 5) Employ runtime integrity verification mechanisms such as Secure Boot or measured boot to detect unauthorized modifications during the boot process. 6) Incorporate this vulnerability into incident response and vulnerability management workflows to ensure ongoing monitoring. 7) Educate system administrators about the risks associated with local exploitation of bootloader vulnerabilities and best practices for secure system maintenance. These targeted actions go beyond generic advice by focusing on bootloader-specific controls and operational security measures.