Dell BIOS Flaw Lets Attackers Recover Admin Passwords From SPI Flash
Security researchers have disclosed a Dell BIOS vulnerability that can expose administrator and user passwords stored in a computer’s SPI flash memory.
The flaw, tracked as CVE-2026-40639, uses weak reversible encoding instead of a secure one-way password hash. Researchers found that an attacker with physical access can recover many BIOS passwords from a firmware dump in milliseconds.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Dell rates the vulnerability as medium severity with a CVSS score of 5.7. The company has released BIOS updates for several affected platforms and says it may expand the product list as more information becomes available.
What is CVE-2026-40639?
CVE-2026-40639 is a weak password encoding vulnerability in Dell Client Platform BIOS firmware.
According to Dell security advisory DSA-2026-197, an unauthenticated attacker with physical access could exploit the flaw to elevate privileges.
The vulnerability affects the way some Dell systems store BIOS administrator and user passwords. Those passwords can protect firmware settings such as Secure Boot, boot order, external device access, and pre-boot security options.
| Vulnerability detail | Information |
|---|---|
| CVE | CVE-2026-40639 |
| Dell advisory | DSA-2026-197 |
| Weakness | Weak encoding for passwords |
| Dell severity | Medium |
| Dell CVSS score | 5.7 |
| Attack vector | Physical access |
| Privileges required | None |
| User interaction | None |
| Potential impact | Elevation of privileges |
Dell stored BIOS passwords with reversible XOR encoding
Researchers Craig S. Blackie of MDSec and Darren McDonald of AmberWolf discovered the weakness while investigating Dell UEFI firmware for unrelated pre-boot attacks.
Their technical analysis of the Dell BIOS flaw found that affected systems store passwords in the Dell Variable, or DVAR, area of the SPI flash chip.
Instead of storing only a cryptographic hash, the affected firmware keeps the password in a reversible form. It applies a repeating 20-byte XOR key to part of a 32-byte password field.
The first password character remains unencrypted
The 32-byte record begins with the first character of the BIOS password stored in plaintext.
The remaining 31 bytes contain the rest of the password after XOR encoding. Any unused space receives null padding before the firmware applies the XOR operation.
This layout gives attackers immediate information about the password and weakens the protection applied to the rest of the record.
- Byte 0 stores the first password character without encryption.
- Bytes 1 through 31 store XOR-encoded password data.
- The firmware uses a repeating 20-byte key.
- Unused password space contains encrypted null padding.
- The password record remains inside the DVAR area of SPI flash.
Short passwords can reveal the entire XOR key
The design becomes especially weak when the BIOS password contains 12 characters or fewer.
A 32-byte field leaves a long unused section after a short password. Because the firmware pads this space with zeros before encryption, XOR operations on those zero bytes reveal the corresponding key bytes.
The 20-byte key repeats across the 32-byte field. Researchers found that the exposed padding can therefore reveal the complete key needed to reverse the encoded password.
Password recovery requires no brute force
After extracting the key from the record, an attacker can XOR it against the encoded password bytes to recover the original password.
The process does not require guessing every possible password or testing a large word list. For the common case involving passwords of 12 characters or fewer, the result is deterministic.
The researchers said their recovery method completes in milliseconds after obtaining a valid flash dump.
| Password storage feature | Security problem |
|---|---|
| 32-byte password field | Short passwords leave a large padded area |
| 20-byte repeating XOR key | The key repeats before the field ends |
| Null padding | XOR with zero exposes raw key bytes |
| Unencrypted first character | Leaks part of the password immediately |
| Reversible encoding | Allows recovery of the original password |
Longer passwords may also be recoverable
Passwords longer than 12 characters leave fewer padded bytes, so a single record may not reveal every key byte directly.
However, researchers found that Dell derives the key from a fixed per-device seed, a GUID, and the unencrypted first character of the password.
This design means a device has only 256 possible derived keys, one for each possible first-byte value. Historical password records can also help recover the key used for a longer current password.
Deleted password records may remain in flash memory
Dell’s DVAR storage works as a log-structured system. When a user changes a BIOS password, the firmware can append a new record instead of securely erasing the previous one.
An attacker may therefore find older password records inside the SPI flash dump. A previous short password can reveal a complete key associated with its first character.
If the current longer password begins with the same character, the attacker may apply the recovered key to the active record.
Only 256 keys may exist for each device
The exposed first character significantly reduces the key search space.
Researchers said the firmware’s derivation process creates only 256 possible keys for a given system. An attacker can calculate or test those possibilities without performing a conventional password brute-force attack.
This weakness means longer passwords do not necessarily protect affected systems from recovery once an attacker obtains the SPI flash contents.
Attackers need physical access or control of the operating system
The vulnerability is not remotely exploitable over the internet by itself.
An attacker must read the target system’s SPI flash. Researchers demonstrated this with a SOIC-8 clip and an inexpensive T48 chip programmer, without removing the chip or soldering components.
An attacker may also obtain a flash image by starting an operating system under their control, depending on the device configuration and firmware protections.
- Gain physical access to the Dell system.
- Connect a clip and programmer to the SPI flash chip, or boot a controlled operating system.
- Read the firmware contents into a flash dump.
- Locate the DVAR region and password record.
- Extract the leaked XOR key bytes.
- Reverse the encoded password field.
- Use the recovered password to access protected BIOS settings.
BIOS access can weaken other security controls
A BIOS administrator password can restrict changes to security-sensitive firmware settings.
After recovering the password, an attacker may change the boot order, disable Secure Boot, enable external devices, or alter pre-boot protections.
The effect on encrypted data depends on the device’s full configuration. Properly configured full-disk encryption and TPM policies may still protect information, but weak boot measurements can leave gaps.
Full-disk encryption may face additional risk
BIOS access does not automatically reveal a BitLocker or disk-encryption key.
However, changing firmware settings can help an attacker boot malicious software or manipulate a system before the primary operating system starts.
Organizations should ensure their encryption policies measure relevant firmware and boot settings. They should not rely on a BIOS password as the only control protecting an encrypted boot chain.
- Use full-disk encryption on portable and sensitive systems.
- Bind encryption keys to appropriate TPM Platform Configuration Registers.
- Use TPM with a PIN where the risk model requires it.
- Protect Secure Boot settings and enrolled keys.
- Restrict booting from external media.
- Apply physical security and chassis intrusion controls.
Researchers confirmed the flaw on several Dell systems
The researchers confirmed the vulnerable password storage mechanism on multiple Dell client platforms.
Tested systems included the Latitude E7250, Latitude 7490, XPS 15 9560, and Wyse 5070 thin client.
The affected code appears inside the SystemPwSmm System Management Mode driver, which Dell has used across a wider range of client firmware.
| Tested Dell system | Research finding |
|---|---|
| Latitude E7250 | Vulnerable storage mechanism confirmed |
| Latitude 7490 | Vulnerable storage mechanism confirmed |
| XPS 15 9560 | Vulnerable storage mechanism confirmed |
| Wyse 5070 | Vulnerable mechanism confirmed by researchers |
Not every affected device appears in Dell’s advisory
Dell’s initial advisory lists firmware updates for selected Edge Gateway, Embedded PC, Latitude, OptiPlex, Precision, and Rugged systems.
The company warns that its affected-products table may not contain every affected supported version. Dell may update the advisory as it identifies more products or releases additional firmware.
At the time of the researchers’ publication, the Wyse 5070 and some other systems used during testing did not appear in the remediation table.
Newer Dell systems use stronger password protection
The vulnerable design does not affect every modern Dell computer.
Researchers found that newer models, including the OptiPlex 3000, use a different SIVB vault based on SHA-256 password protection.
This approach avoids storing the original password through reversible XOR encoding. The researchers recommended extending the stronger system to remaining supported platforms.
Dell rates the vulnerability 5.7
Dell assigned CVE-2026-40639 a CVSS 3.1 score of 5.7.
The vector reflects physical access, high attack complexity, no required privileges, no user interaction, high confidentiality impact, high integrity impact, and no availability impact.
The researchers proposed a score of 6.1 because they consider the attack complexity low once an attacker can read the SPI flash.
| CVSS metric | Dell assessment | Researchers’ assessment |
|---|---|---|
| Attack vector | Physical | Physical |
| Attack complexity | High | Low |
| Privileges required | None | None |
| User interaction | None | None |
| Confidentiality impact | High | High |
| Integrity impact | High | High |
| Final score | 5.7 | 6.1 |
Researchers disclosed the issue in March 2026
Blackie and McDonald identified the key-wrapping weakness on February 13, 2026, while analyzing a Wyse 5070.
They sent a joint disclosure to Dell’s Product Security Incident Response Team on March 5. Dell validated the findings on March 27 and began coordinating remediation.
Dell published DSA-2026-197 and CVE-2026-40639 on June 9, 2026. The researchers released their full technical analysis on July 10.
Dell has released updates for an initial group of systems
Dell has provided patched BIOS releases for products listed in its advisory.
The initial updates cover models such as Edge Gateway 3000 and 5000 systems, Embedded PC 3000 and 5000 systems, selected Precision workstations, several Latitude models, Rugged Latitude systems, and the OptiPlex 7070 UFF.
Customers should check the current Dell affected-products and remediation table because firmware availability can change.
How to protect Dell systems from CVE-2026-40639
Organizations should first identify systems covered by Dell’s advisory and install the latest BIOS release available for each model.
Administrators should use Dell’s support page, service tag lookup, or enterprise update tools to confirm the correct firmware package.
They should also treat BIOS passwords on unpatched systems as recoverable by anyone who can read the SPI flash.
- Inventory Dell desktops, laptops, thin clients, and embedded systems.
- Compare each model and BIOS version with DSA-2026-197.
- Install Dell’s remediated BIOS release where available.
- Use a unique BIOS password for every device.
- Restrict physical access to systems and mainboards.
- Enable chassis intrusion detection where supported.
- Review Secure Boot and TPM-measured boot settings.
- Apply full-disk encryption with suitable TPM policies.
- Securely dispose of systems that handled sensitive information.
- Monitor Dell’s advisory for newly added products.
Shared BIOS passwords increase the potential impact
Some organizations configure the same BIOS administrator password across an entire device fleet.
If an attacker recovers that password from one vulnerable system, the same credential may unlock many other computers.
Using unique firmware passwords limits the damage from one compromised device, although organizations also need a secure method for storing and retrieving those passwords.
Old flash records create an additional problem
Changing a BIOS password may not remove the previous record from the DVAR store.
Historical records can remain available in the raw flash image and may help an attacker reconstruct the encryption key.
In their CVE-2026-40639 research, Blackie and McDonald recommended securely erasing old records whenever a password changes.
Researchers recommend salted password hashing
The researchers said BIOS firmware does not need to recover the original plaintext password during normal verification.
Dell could instead store a salted and iterated password hash created with a suitable algorithm. The firmware would hash the user’s input and compare it with the stored value.
This design would prevent a flash dump from directly revealing the original password, even when an attacker extracts the stored record.
Physical security remains essential
CVE-2026-40639 requires access to the target device, but the necessary hardware is inexpensive and widely available.
Companies should protect systems located in public spaces, branch offices, laboratories, warehouses, kiosks, and other areas where unauthorized people may reach the mainboard.
They should also apply secure disposal procedures. Selling or discarding an old device without considering firmware records may expose historical BIOS credentials.
Why the Dell BIOS flaw matters
The vulnerability does not create a remote path into Dell systems, and attackers must first overcome physical security or gain control before the operating system starts.
However, affected firmware stores passwords in a reversible form that can expose the original credential with little computation. The problem becomes more serious when organizations reuse BIOS passwords or depend on them to protect the boot process.
Dell customers should install available BIOS updates, monitor the advisory for additional models, strengthen disk-encryption policies, and avoid treating firmware passwords as a complete defense against physical attacks.
FAQ
CVE-2026-40639 is a weak password encoding vulnerability in Dell Client Platform BIOS. It can allow an attacker with physical access to recover BIOS passwords from an SPI flash dump.
No. Dell rates the vulnerability as medium severity with a CVSS score of 5.7. Researchers proposed a score of 6.1 because they assess the attack complexity differently.
An attacker reads the system’s SPI flash, locates the DVAR password record, extracts key bytes exposed by null padding, and reverses the XOR-encoded password.
The vulnerability does not provide a direct remote attack. An attacker needs physical access to read the SPI flash or enough control to boot an operating system capable of obtaining the firmware contents.
Dell lists selected Edge Gateway, Embedded PC, Latitude, OptiPlex, Precision, and Rugged systems. Researchers also confirmed the vulnerable design on several other models, so customers should check Dell’s latest advisory.
Researchers said passwords of 12 characters or fewer can be recovered deterministically in milliseconds after obtaining a valid SPI flash dump.
Organizations should install Dell’s updated BIOS, use unique firmware passwords, restrict physical access, strengthen Secure Boot and TPM policies, and use properly configured full-disk encryption.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages