A significant security vulnerability has been identified in Dell’s BIOS password storage mechanism, allowing attackers to retrieve administrator passwords from SPI flash memory almost instantaneously. This flaw, catalogued as CVE-2026-40639, results from an inadequate encryption method using an XOR key instead of a robust cryptographic hash.
Understanding the Vulnerability
This issue arises because Dell encrypts BIOS passwords in the DVAR region of the SPI flash chip using a 20-byte XOR key applied to a 32-byte field. The first character of any password is stored unencrypted, creating a weakness that attackers can exploit. For passwords shorter than 12 characters, the remaining bytes are XORed against zero, inadvertently exposing the key.
The mismatch between the 20-byte key and the 32-byte field allows the entire key to be extracted, enabling attackers to reverse-engineer the password. Although longer passwords have a small protection gap, the key derivation process, which uses a fixed device-specific seed and the unencrypted first character, still leaves vulnerabilities.
Technical Implications and Device Impact
With only 256 potential keys per device, an intruder can recover older, ‘deleted’ DVAR records, extract their keys, and use these to decipher longer current passwords sharing the same leading character. This vulnerability affects the SystemPwSmm SMM driver, prevalent across many Dell client platforms, including confirmed threats to the Latitude E7250, Latitude 7490, and the unpatched Wyse 5070 thin client.
While newer models like the OptiPlex 3000 have adopted secure hashing methods, such as SHA-256-based SIVB vaults, many devices remain susceptible. This flaw is particularly concerning as BIOS passwords protect critical functions like Secure Boot and disk encryption, meaning compromised passwords could lead to significant security breaches.
Disclosure and Recommendations
The vulnerability was first reported by researchers Craig S. Blackie and Darren McDonald, who discovered it while exploring Dell’s UEFI firmware. The issue was disclosed to Dell in March 2026, and Dell responded by validating the findings and issuing a security advisory (DSA-2026-197) in June 2026, initially patching several platforms. However, some devices, including the Wyse 5070, remain unaddressed.
Differences in assessing the vulnerability’s severity have emerged, with Dell assigning a CVSS score of 5.7, while researchers suggest a score of 6.1. To mitigate risks, experts recommend Dell implement salted, iterated hashing and ensure secure erasure of old DVAR records. They also advise against relying solely on BIOS passwords for securing boot processes.
This situation underscores the importance of robust encryption practices and prompt patch deployment to safeguard sensitive systems against potential exploits.
