A critical flaw in how Dell stores BIOS administrator and user passwords allows full password recovery from a flash dump in milliseconds, with no brute force required.
The vulnerability, tracked as CVE-2026-40639 (DSA-2026-197), stems from a broken XOR encryption scheme rather than a proper cryptographic hash.
Dell stores BIOS passwords in the DVAR (Dell Variable) region of the SPI flash chip, encrypted using a repeating 20-byte XOR key applied to a 32-byte field. The first character of the password is stored completely unencrypted.
For any password of 12 characters or fewer, the unused, null-padded tail of the 32-byte field ends up XORed against zero, which simply reveals raw key bytes. Since the key is only 20 bytes but the field is 32, this mismatch leaks the entire key directly from the record, letting attackers reverse the password instantly.
Longer passwords leave a small blind zone, but the researchers found a way around it: Dell’s key derivation uses only a fixed per-device seed, a GUID, and the single unencrypted first character of the password.
Dell BIOS Flaw Allows Password Recovery
This means there are just 256 possible keys per device. Since old, “deleted” DVAR records aren’t securely erased, an attacker can often recover an older short password, extract its key, and apply it to a longer current password sharing the same first letter.
The flaw was discovered by researchers Craig S. Blackie (MDSec) and Darren McDonald (AmberWolf), while were probing Dell UEFI firmware for unrelated pre-boot DMA vulnerabilities.
It affects the SystemPwSmm SMM driver used broadly across Dell client platforms, confirmed on the Latitude E7250, Latitude 7490, XPS 15 9560, and notably the current-generation, supported Wyse 5070 thin client, which remains unpatched.
Newer models like the OptiPlex 3000 use a proper SHA-256-based SIVB vault and are not vulnerable, showing Dell has a fix available but hasn’t rolled it out everywhere.
Since BIOS passwords often gate Secure Boot, boot order, and pre-boot DMA protections, recovering them can open a path to bypassing full-disk encryption, especially where TPM policies don’t measure every relevant setting.
The attack requires physical access to the flash chip via a clip and programmer, or booting an attacker-controlled OS, but no authentication or user interaction.
Researchers privately disclosed the issue to Dell in March 2026. Dell validated the findings and issued DSA-2026-197 on June 9, 2026, patching an initial batch of platforms (Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines), with additional fixes targeted for the end of July 2026. Notably, the advisory doesn’t yet cover the Wyse 5070 or several other confirmed-vulnerable devices.
The researchers and Dell disagree slightly on CVSS scoring: Dell rates it 5.7, while the researchers argue for 6.1, based on differing views of Attack Complexity.
The researchers recommend Dell move to salted, iterated password hashing across all platforms and securely erase historical DVAR records, while advising defenders not to rely on BIOS passwords alone to protect encrypted boot chains.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide
The post Dell BIOS Flaw Lets Attackers Recover Admin Passwords From SPI Flash in Milliseconds appeared first on Cyber Security News.


