Skip to content
Threat Feed
high advisory

CVE-2026-29009 - U-Boot Buffer Overflow in nfs_readlink_reply()

A buffer overflow vulnerability exists in the nfs_readlink_reply() function of U-Boot versions up to 2026.04-rc3 when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to exploit it by sending multiple relative symlink targets, each approximately 1100 bytes long, to overflow the 2048-byte nfs_path_buff, corrupting adjacent BSS variables and potentially leading to memory corruption and control over the NFS client's state machine.

U-Boot through 2026.04-rc3 contains a severe buffer overflow vulnerability (CVE-2026-29009) residing within the nfs_readlink_reply() function in net/nfs-common.c. This flaw is exploitable when CONFIG_CMD_NFS is enabled, a common configuration for devices that boot over a network. A malicious or compromised NFS server can exploit this by crafting a sequence of two or more READLINK responses. Each response must contain a relative symlink target approximately 1100 bytes long. When these are appended by the vulnerable U-Boot client without proper cumulative length validation, the 2048-byte nfs_path_buff buffer overflows. This leads to the corruption of adjacent BSS variables, including critical network configuration data like nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id. The consequence is memory corruption and the potential for an attacker to gain control over the U-Boot NFS client's state machine, enabling further compromise of the embedded device or system.

Attack Chain

  1. An attacker compromises or gains control of an NFS server.
  2. A vulnerable U-Boot client, with CONFIG_CMD_NFS enabled, attempts to perform an NFS operation (e.g., read a symlink) from the attacker-controlled NFS server during its boot process.
  3. The attacker's NFS server sends the first READLINK response to the U-Boot client. This response contains a crafted relative symlink target of approximately 1100 bytes.
  4. The U-Boot client's nfs_readlink_reply() function processes this response and appends the symlink target to its internal nfs_path_buff buffer, which has a capacity of 2048 bytes.
  5. The attacker's NFS server then sends a second READLINK response, also containing a relative symlink target of approximately 1100 bytes.
  6. The nfs_readlink_reply() function attempts to append this second symlink target to nfs_path_buff without validating the cumulative length of the appended data.
  7. This second append causes the nfs_path_buff buffer to overflow, corrupting adjacent BSS variables in memory, such as nfs_server_ip, nfs_state, and rpc_id.
  8. The memory corruption provides the attacker with potential control over the U-Boot NFS client's state machine, allowing for manipulation of the boot process or further arbitrary actions.

Impact

Successful exploitation of CVE-2026-29009 can lead to severe memory corruption within the U-Boot environment. Attackers can corrupt critical BSS variables, including network configuration parameters and the internal state of the NFS client. This grants the attacker control over the U-Boot NFS client state machine, potentially allowing them to manipulate the boot process, redirect network traffic, or execute arbitrary code during the initial boot stages. While no specific victim counts or industry sectors are identified in the disclosure, any embedded system or device utilizing U-Boot with NFS boot capabilities enabled is at risk, potentially leading to full device compromise before the main operating system even loads.

Recommendation

  • Patch CVE-2026-29009 on all affected U-Boot installations immediately.
  • Review and disable the CONFIG_CMD_NFS option in U-Boot builds if NFS boot functionality is not strictly required.