CVE-2026-29009 - U-Boot Buffer Overflow in nfs_readlink_reply()
A buffer overflow vulnerability exists in the nfs_readlink_reply() function of U-Boot versions up to 2026.04-rc3 when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to exploit it by sending multiple relative symlink targets, each approximately 1100 bytes long, to overflow the 2048-byte nfs_path_buff, corrupting adjacent BSS variables and potentially leading to memory corruption and control over the NFS client's state machine.
U-Boot through 2026.04-rc3 contains a severe buffer overflow vulnerability (CVE-2026-29009) residing within the nfs_readlink_reply() function in net/nfs-common.c. This flaw is exploitable when CONFIG_CMD_NFS is enabled, a common configuration for devices that boot over a network. A malicious or compromised NFS server can exploit this by crafting a sequence of two or more READLINK responses. Each response must contain a relative symlink target approximately 1100 bytes long. When these are appended by the vulnerable U-Boot client without proper cumulative length validation, the 2048-byte nfs_path_buff buffer overflows. This leads to the corruption of adjacent BSS variables, including critical network configuration data like nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id. The consequence is memory corruption and the potential for an attacker to gain control over the U-Boot NFS client's state machine, enabling further compromise of the embedded device or system.
Attack Chain
- An attacker compromises or gains control of an NFS server.
- A vulnerable U-Boot client, with
CONFIG_CMD_NFSenabled, attempts to perform an NFS operation (e.g., read a symlink) from the attacker-controlled NFS server during its boot process. - The attacker's NFS server sends the first READLINK response to the U-Boot client. This response contains a crafted relative symlink target of approximately 1100 bytes.
- The U-Boot client's
nfs_readlink_reply()function processes this response and appends the symlink target to its internalnfs_path_buffbuffer, which has a capacity of 2048 bytes. - The attacker's NFS server then sends a second READLINK response, also containing a relative symlink target of approximately 1100 bytes.
- The
nfs_readlink_reply()function attempts to append this second symlink target tonfs_path_buffwithout validating the cumulative length of the appended data. - This second append causes the
nfs_path_buffbuffer to overflow, corrupting adjacent BSS variables in memory, such asnfs_server_ip,nfs_state, andrpc_id. - The memory corruption provides the attacker with potential control over the U-Boot NFS client's state machine, allowing for manipulation of the boot process or further arbitrary actions.
Impact
Successful exploitation of CVE-2026-29009 can lead to severe memory corruption within the U-Boot environment. Attackers can corrupt critical BSS variables, including network configuration parameters and the internal state of the NFS client. This grants the attacker control over the U-Boot NFS client state machine, potentially allowing them to manipulate the boot process, redirect network traffic, or execute arbitrary code during the initial boot stages. While no specific victim counts or industry sectors are identified in the disclosure, any embedded system or device utilizing U-Boot with NFS boot capabilities enabled is at risk, potentially leading to full device compromise before the main operating system even loads.
Recommendation
- Patch CVE-2026-29009 on all affected U-Boot installations immediately.
- Review and disable the
CONFIG_CMD_NFSoption in U-Boot builds if NFS boot functionality is not strictly required.