Product
A buffer overflow vulnerability exists in the nfs_readlink_reply() function of U-Boot versions up to 2026.04-rc3 when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to exploit it by sending multiple relative symlink targets, each approximately 1100 bytes long, to overflow the 2048-byte nfs_path_buff, corrupting adjacent BSS variables and potentially leading to memory corruption and control over the NFS client's state machine.