Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
Key Takeaways A critical vulnerability (CVE-2026-40639) in Dell’s BIOS password storage mechanism allows for the immediate recovery of administrator and user passwords. The flaw stems from a...
Key Takeaways
- A critical vulnerability (CVE-2026-40639) in Dell’s BIOS password storage mechanism allows for the immediate recovery of administrator and user passwords.
- The flaw stems from a flawed XOR encryption scheme, not a robust cryptographic hash, making passwords recoverable from SPI flash memory dumps without brute force.
- Affected devices include various Dell Latitude, XPS, and Wyse models, with some current-generation devices like the Wyse 5070 remaining unpatched.
- While physical access or an attacker-controlled OS is required, the vulnerability can bypass critical security measures like Secure Boot and pre-boot DMA protections.
- Dell has issued patches for some platforms (DSA-2026-197), but a comprehensive fix for all vulnerable systems is still pending.
A significant security flaw has been identified in how Dell safeguards BIOS administrator and user passwords, enabling their complete recovery from a flash memory dump in mere milliseconds, bypassing any need for brute-force attacks.
Table Of Content
This critical vulnerability, officially cataloged as CVE-2026-40639 (DSA-2026-197), is rooted in a fundamentally broken XOR encryption method employed by Dell, rather than a cryptographically secure hashing algorithm.
Technical Breakdown of the Flaw
Dell stores BIOS passwords within the DVAR (Dell Variable) region of the SPI flash chip. These passwords are “encrypted” using a repetitive 20-byte XOR key applied to a 32-byte field. Critically, the very first character of the password is stored entirely unencrypted.
The core of the weakness lies in how shorter passwords interact with this fixed-size field. For any password consisting of 12 characters or fewer, the remaining unused portion of the 32-byte field is padded with null bytes. When these null bytes are XORed against the repeating 20-byte key, the raw bytes of the key are directly exposed. Because the key is 20 bytes and the field is 32 bytes, this mismatch inadvertently leaks the entire XOR key, allowing an attacker to instantly reverse-engineer the password.
While longer passwords obscure a small segment of the key, researchers discovered a workaround. Dell’s key derivation process relies solely on a fixed per-device seed, a GUID, and the single unencrypted first character of the password. This design limits the total number of possible keys per device to just 256 permutations.
Further compounding the issue, older, “deleted” DVAR records are not securely erased. This allows an attacker to often retrieve an old, shorter password, extract its associated key, and then apply that key to a longer, current password if both share the same initial character.
Affected Systems and Discovery
The vulnerability was uncovered by security researchers Craig S. Blackie of MDSec and Darren McDonald of AmberWolf. Their discovery occurred while they were investigating Dell UEFI firmware for unrelated pre-boot DMA vulnerabilities.
The flaw impacts the SystemPwSmm SMM driver, which is widely deployed across various Dell client platforms. Specific models confirmed vulnerable include the Latitude E7250, Latitude 7490, XPS 15 9560, and notably, the currently supported Wyse 5070 thin client, which remains unpatched at the time of reporting.
It is important to note that newer Dell models, such as the OptiPlex 3000 series, implement a proper SHA-256-based SIVB vault for password storage and are not susceptible to this particular vulnerability. This indicates that Dell possesses a secure solution, but its deployment across all product lines is incomplete.
Impact and Remediation
The recovery of BIOS passwords can have severe security implications. These passwords frequently control critical security features such as Secure Boot, boot order, and pre-boot DMA protections. Bypassing them can create a pathway to circumvent full-disk encryption, particularly in scenarios where TPM policies do not rigorously measure every relevant setting.
Executing this attack necessitates physical access to the flash chip, typically via a clip and programmer, or the ability to boot an attacker-controlled operating system. Crucially, it does not require any prior authentication or user interaction.
Researchers privately disclosed the issue to Dell in March 2026. Dell verified the findings and subsequently released DSA-2026-197 on June 9, 2026, which provided patches for an initial set of platforms including Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines. Dell has indicated that additional fixes are planned for late July 2026. However, the advisory conspicuously does not yet cover the Wyse 5070 or several other confirmed-vulnerable devices.
There is a slight disagreement between the researchers and Dell regarding the CVSS scoring for this vulnerability. Dell assigns a score of 5.7, while the researchers advocate for a higher score of 6.1, citing differing interpretations of the attack complexity.
What You Should Do
- Apply Updates Immediately: For Dell systems listed in DSA-2026-197, ensure all available BIOS and firmware updates are installed without delay.
- Monitor for Future Patches: Keep a close watch on Dell’s security advisories for updates pertaining to currently unpatched vulnerable devices, especially the Wyse 5070 and other confirmed affected models.
- Strengthen Boot Chain Protections: Do not rely solely on BIOS passwords to secure your boot chain. Implement robust TPM policies that measure all relevant boot settings to detect and prevent tampering.
- Implement Physical Security: Given that the attack requires physical access or an attacker-controlled OS, reinforce physical security measures for all Dell devices, especially those in high-risk environments.
- Consider Alternative Security Controls: Researchers recommend Dell transition to salted, iterated password hashing across all platforms and ensure secure erasure of historical DVAR records. While this is a vendor recommendation, defenders should consider multi-factor authentication for sensitive systems where feasible.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.