Skip to content
Threat Feed
high advisory

CVE-2026-29008: U-Boot Integer Underflow Leads to Bootloader Crash

An integer underflow vulnerability (CVE-2026-29008) in U-Boot's `tcp_rx_state_machine()` function allows a network-adjacent attacker to crash the bootloader by sending a crafted TCP SYN+ACK packet, potentially preventing device boot and leading to memory corruption.

U-Boot versions up to and including 2026.04-rc3 are susceptible to an integer underflow vulnerability (CVE-2026-29008) within the tcp_rx_state_machine() function, located in net/tcp.c. This flaw enables a network-adjacent attacker to trigger a bootloader crash, thereby preventing the device from booting. The attack involves sending a specially crafted TCP SYN+ACK packet where the data offset field is manipulated. This manipulation causes the payload_len variable to become negative. Subsequently, this negative value is implicitly converted into a large unsigned integer when passed to memcpy() within the store_block() function, leading to an excessive memory copy operation and an immediate system crash. If CONFIG_LMB is disabled, this could also result in memory corruption. This vulnerability poses a significant denial-of-service risk for embedded systems utilizing affected U-Boot versions.

Attack Chain

  1. Attacker gains network adjacency to a vulnerable device running U-Boot.
  2. The attacker crafts a malicious TCP SYN+ACK packet.
  3. The data offset field within the crafted TCP SYN+ACK packet is manipulated to an invalid value.
  4. The vulnerable U-Boot bootloader receives the malformed TCP SYN+ACK packet in its tcp_rx_state_machine() function.
  5. During processing, the manipulated data offset causes the payload_len variable to become a negative integer.
  6. The TCP_SYN_SENT handler calls tcp_rx_user_data() without proper tcp_seg_in_wnd() validation for the malformed packet.
  7. The negative payload_len is implicitly converted to a very large unsigned integer, which is then passed to memcpy() in store_block().
  8. The memcpy() operation attempts to copy an excessively large amount of data, resulting in an immediate bootloader crash and device failure to boot, with potential memory corruption if CONFIG_LMB is disabled.

Impact

The successful exploitation of CVE-2026-29008 leads to a denial of service (DoS) by causing the affected U-Boot bootloader to crash. This prevents the device from successfully booting, rendering it inoperable until manual intervention or a power cycle. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity. Furthermore, if the CONFIG_LMB option is disabled, the arbitrary large memcpy() operation could result in memory corruption, potentially leading to further compromise beyond a mere crash, though direct code execution is not explicitly detailed. This impacts embedded devices and systems that rely on U-Boot for their boot process.

Recommendation

  • Immediately patch U-Boot to a version beyond 2026.04-rc3 to remediate CVE-2026-29008.
  • Implement network intrusion detection/prevention systems (IDS/IPS) to block malformed TCP SYN+ACK packets, particularly those with anomalous data offset values associated with CVE-2026-29008 exploitation attempts.
  • Review network firewall rules to ensure only legitimate and properly formed network traffic reaches critical embedded devices running U-Boot.