Dell BIOS Flaw Allows Millisecond Recovery of Admin Passwords
A critical vulnerability in Dell's BIOS password storage mechanism allows attackers with physical access to recover administrator and user passwords in mere milliseconds.

A critical flaw affecting Dell's BIOS password storage mechanism allows attackers with physical access to recover administrator and user passwords in milliseconds, bypassing the need for brute-force attacks. The vulnerability, identified as CVE-2026-40639 and detailed in Dell's advisory DSA-2026-197, stems from a weak XOR encryption scheme used for storing passwords in the SPI flash chip, rather than a robust cryptographic hash.
Researchers discovered that Dell stores BIOS passwords within the DVAR (Dell Variable) region of the SPI flash chip. These passwords are encrypted using a repeating 20-byte XOR key applied to a 32-byte field. Critically, the first character of the password is stored entirely unencrypted. For passwords of 12 characters or fewer, the unused, null-padded portion of the 32-byte field is XORed against zero, which effectively reveals raw bytes of the encryption key. This mismatch between the 20-byte key and the 32-byte field allows attackers to extract the entire key directly from the password record, enabling instant password reversal.
While longer passwords create a small blind zone, the researchers found a workaround. Dell's key derivation process relies on a fixed per-device seed, a GUID, and the single unencrypted first character of the password. This limited set of variables means there are only 256 possible keys per device. Furthermore, old, "deleted" DVAR records are not securely erased. Attackers can often recover an older, shorter password, extract its corresponding key, and then apply that key to a current, longer password that shares the same first letter, thus compromising the system.
The vulnerability was uncovered by security researchers Craig S. Blackie of MDSec and Darren McDonald of AmberWolf while investigating Dell UEFI firmware for unrelated pre-boot DMA vulnerabilities. The flaw impacts the SystemPwSmm SMM driver, which is widely used across Dell client platforms. Confirmed vulnerable devices include the Latitude E7250, Latitude 7490, XPS 15 9560, and notably, the current-generation Wyse 5070 thin client, which remains unpatched.
Newer Dell models, such as the OptiPlex 3000, utilize a more secure SHA-256-based SIVB vault and are not affected, indicating that Dell possesses the necessary fixes but has not yet deployed them universally. The implications of this vulnerability are significant, as BIOS passwords often control access to critical security features like Secure Boot, boot order, and pre-boot DMA protections. Recovering these passwords can provide an attacker with a pathway to bypass full-disk encryption, particularly in environments where TPM policies do not comprehensively measure all relevant boot settings.
The attack requires physical access to the SPI flash chip, typically achieved using a clip and a programmer, or by booting an attacker-controlled operating system. Importantly, the exploit does not require any authentication or user interaction. The researchers privately disclosed the vulnerability to Dell in March 2026. Dell acknowledged the findings and issued advisory DSA-2026-197 on June 9, 2026, releasing patches for an initial set of platforms including Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines. Additional fixes are slated for release by the end of July 2026.
There is a slight discrepancy in the Common Vulnerability Scoring System (CVSS) rating between Dell and the researchers. Dell assigns a score of 5.7, while the researchers argue for 6.1, primarily due to differing assessments of the attack complexity. The researchers recommend that Dell transition to salted, iterated password hashing across all its platforms and implement secure erasure for historical DVAR records. They also advise defenders to avoid relying solely on BIOS passwords for protecting encrypted boot chains.