A critical vulnerability in Dell's BIOS password storage system has been identified, allowing attackers to recover administrator passwords from the SPI flash chip within milliseconds. This flaw, registered as CVE-2026-40639, arises from the use of a flawed XOR encryption scheme instead of a robust cryptographic hash. Dell stores passwords in the DVAR region of the SPI flash, using a repeating 20-byte XOR key on a 32-byte field, with the password's first character unencrypted.
For passwords of 12 characters or fewer, the remaining portion of the field is XORed against zero, which reveals the raw key bytes. This allows attackers to extract the password quickly. Even for longer passwords, the issue persists due to Dell's key derivation process relying on a fixed per-device seed, a GUID, and the unencrypted first character of the password, limiting the possible keys to just 256 per device.
Researchers Craig S. Blackie and Darren McDonald uncovered this flaw while investigating Dell's UEFI firmware for other vulnerabilities. The vulnerability affects the SystemPwSmm SMM driver used in numerous Dell client platforms, including the Latitude E7250, Latitude 7490, XPS 15 9560, and the Wyse 5070 thin client, which remains unpatched. However, newer models like the OptiPlex 3000 are not vulnerable due to the use of a SHA-256-based SIVB vault.
The attack necessitates physical access to the flash chip or booting an attacker-controlled OS, though it does not require authentication or user interaction. Dell was informed of the issue in March 2026, confirmed the flaw, and issued an advisory in June 2026, patching some devices with more fixes expected by July 2026. The Wyse 5070 and other devices still await updates. While Dell rates the CVSS score at 5.7, researchers suggest a score of 6.1 due to differing views on attack complexity. Recommendations include adopting salted, iterated password hashing and securely erasing historical records, while also advising against relying solely on BIOS passwords for securing encrypted boot chains.


