Cybersecurity researchers have disclosed a critical vulnerability in the BIOS password protection mechanism of several Dell devices that could allow attackers to recover administrator and user BIOS passwords within milliseconds. The flaw, tracked as CVE-2026-40639 and detailed in Dell Security Advisory DSA-2026-197, stems from an insecure password storage mechanism rather than a weakness in password strength itself. Exploiting it generally requires physical access or low-level access to a device, but successful exploitation can bypass important firmware security controls entirely.
A Broken Encryption Design, Not a Weak Password
The vulnerability exists because certain Dell systems store BIOS passwords using a flawed repeating-key XOR encryption scheme rather than a secure cryptographic hash. Passwords are held within the Dell Variable, or DVAR, region of the SPI flash memory chip, in a 32-byte field encrypted against a 20-byte key, with the very first character of the password stored completely unencrypted regardless of length.
The flaw lies in how shorter passwords are handled. For any password of 12 characters or fewer, the unused, null-padded remainder of the 32-byte field gets XORed against zero, which simply reveals the raw key bytes directly, since XORing a value with zero returns that same value unchanged. Because the key is only 20 bytes while the storage field is 32, this mismatch leaks the entire encryption key straight out of the stored record, letting an attacker reverse any such password instantly with no brute-forcing required. Even longer passwords are not fully safe: researchers found Dell’s key derivation relies on just a fixed per-device seed, a GUID, and that single unencrypted first character, narrowing the possible key space enough that older, unencrypted historical password records left in the log-structured DVAR store can supply the missing piece.
Who Discovered It, and Which Systems Are Exposed
The flaw was discovered by security researchers Craig S. Blackie of MDSec and Darren McDonald of AmberWolf, who stumbled onto it while examining Dell UEFI firmware for an unrelated pre-boot DMA vulnerability. Their analysis confirmed the issue affects the SystemPwSmm firmware component used broadly across Dell client platforms, verified specifically on the Latitude E7250, Latitude 7490, XPS 15 9560, and notably the current-generation, still-supported Wyse 5070 thin client.
Newer Dell platforms, including the OptiPlex 3000 series, use a more secure SHA-256-based Security Information Vault Block design and were not found vulnerable in testing, showing Dell has already engineered a proper fix, just not one rolled out across its full legacy fleet. Dell and the researchers disagree modestly on severity: Dell rates the flaw 5.7 on the CVSS scale, citing high attack complexity, while the researchers argue for 6.1, pointing out that recovery is fully deterministic and low-complexity once an attacker has obtained a flash dump.
Real-World Risk and Dell’s Patching Timeline
Because BIOS passwords commonly gate Secure Boot configuration, boot order and other pre-boot protections, recovering them can open a path toward disabling security mechanisms or weakening full-disk encryption, particularly on systems where TPM policies do not measure every relevant firmware change. Exploitation is not remote: an attacker typically needs physical access to read the SPI flash chip using an inexpensive clip and programmer, or the ability to boot an attacker-controlled operating system. Once that access is obtained, however, no authentication or user interaction is needed, a combination that makes the flaw particularly concerning for enterprise laptops, shared systems and devices deployed in unsecured field environments.
Researchers privately disclosed the issue to Dell in March 2026, and the company validated the findings before publishing DSA-2026-197 on June 9, 2026, alongside firmware fixes for an initial batch of platforms, including Precision, Rugged Latitude, Embedded PC and Edge Gateway devices. Notably, the confirmed-vulnerable Latitude E7250, Latitude 7490, XPS 15 9560 and Wyse 5070 were not covered in that first patch round, with Dell targeting broader remediation by the end of July 2026. A researcher at Algoritha Security said firmware-level vulnerabilities remain among the most serious hardware security risks because they operate below the operating system and can undermine multiple layers of protection at once. The researcher advised organisations to apply Dell’s firmware updates as soon as they are released, restrict physical access to corporate devices, enable Secure Boot and TPM protections wherever possible, and avoid relying on BIOS passwords alone as the primary safeguard for sensitive systems.
