Published on July 11, 2026
Dell BIOS Flaw Lets Attackers Recover Passwords From SPI Flash
Severity
Medium
Detail
Dell has disclosed a security vulnerability, tracked as CVE-2026-40639 (DSA-2026-197) affecting multiple Dell client platforms. This flaw allows attackers with physical access to recover BIOS administrator and user passwords from the device’s SPI flash memory due to the use of an insecure XOR-based password storage mechanism.
The vulnerability exists in the SystemPwSmm System Management Mode (SMM) driver where BIOS passwords are stored in the Dell Variable (DVAR) region of SPI flash using a weak repeating XOR key instead of a secure cryptographic hash. This implementation allows attackers to recover plaintext BIOS passwords directly from a flash memory dump without brute force or prior knowledge of the password.
Exploitation requires physical access to the affected device to obtain a copy of the SPI flash, either by connecting an external flash programmer or by booting an attacker-controlled operating system. Once the flash contents are obtained, attackers can recover BIOS passwords within seconds.
Successful exploitation may enable attackers to disable BIOS security settings, Secure Boot, or pre-boot protections, potentially facilitating unauthorized access to encrypted storage and other protected system resources. At the time of publication, there is no evidence of active exploitation. Dell has introduced a more secure SHA-256-based password storage mechanism on newer platforms and is working to expand remediation to additional affected devices.
| CVE ID | Summary | CVSS Score |
| CVE-2026-40639 | Weak XOR-based BIOS password storage allows attackers with physical access to recover plaintext BIOS passwords from SPI flash memory, potentially bypassing firmware security protections. | 5.7 (Medium) |
Affected Products
The vulnerability has been confirmed on the following Dell platforms:
- Dell Latitude E7250
- Dell XPS 15 9560
- Dell Latitude 7490
- Dell Wyse 5070 Thin Client
Additionally, Dell client platforms using the vulnerable SystemPwSmm implementation may also be affected.
Recommendation
Organizations using affected Dell devices should take the following actions immediately:
- Apply Dell BIOS and firmware updates as soon as security fixes become available for affected platforms.
- Restrict physical access to corporate devices and prevent unauthorized booting from external media.
- Treat BIOS passwords as an additional security layer rather than the sole protection for sensitive systems.
- Enable Secure Boot, TPM-based measured boot, and properly configured full-disk encryption to reduce the impact of firmware-level attacks.
- Avoid reusing BIOS passwords across multiple devices and assign unique BIOS credentials where possible.
- Ensure retired or decommissioned devices are securely sanitized before disposal or resale to prevent recovery of historical BIOS credentials.
Source
https://cybersecuritynews.com/dell-bios-flaw-admin-passwords/
