{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/u-boot-through-2026.04-rc3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-29008"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["U-Boot (through 2026.04-rc3)"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","vulnerability","bootloader","network","embedded-systems"],"_cs_type":"advisory","_cs_vendors":["U-Boot Project"],"content_html":"\u003cp\u003eU-Boot versions up to and including 2026.04-rc3 are susceptible to an integer underflow vulnerability (CVE-2026-29008) within the \u003ccode\u003etcp_rx_state_machine()\u003c/code\u003e function, located in \u003ccode\u003enet/tcp.c\u003c/code\u003e. This flaw enables a network-adjacent attacker to trigger a bootloader crash, thereby preventing the device from booting. The attack involves sending a specially crafted TCP SYN+ACK packet where the data offset field is manipulated. This manipulation causes the \u003ccode\u003epayload_len\u003c/code\u003e variable to become negative. Subsequently, this negative value is implicitly converted into a large unsigned integer when passed to \u003ccode\u003ememcpy()\u003c/code\u003e within the \u003ccode\u003estore_block()\u003c/code\u003e function, leading to an excessive memory copy operation and an immediate system crash. If \u003ccode\u003eCONFIG_LMB\u003c/code\u003e is disabled, this could also result in memory corruption. This vulnerability poses a significant denial-of-service risk for embedded systems utilizing affected U-Boot versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network adjacency to a vulnerable device running U-Boot.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious TCP SYN+ACK packet.\u003c/li\u003e\n\u003cli\u003eThe data offset field within the crafted TCP SYN+ACK packet is manipulated to an invalid value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable U-Boot bootloader receives the malformed TCP SYN+ACK packet in its \u003ccode\u003etcp_rx_state_machine()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring processing, the manipulated data offset causes the \u003ccode\u003epayload_len\u003c/code\u003e variable to become a negative integer.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTCP_SYN_SENT\u003c/code\u003e handler calls \u003ccode\u003etcp_rx_user_data()\u003c/code\u003e without proper \u003ccode\u003etcp_seg_in_wnd()\u003c/code\u003e validation for the malformed packet.\u003c/li\u003e\n\u003cli\u003eThe negative \u003ccode\u003epayload_len\u003c/code\u003e is implicitly converted to a very large unsigned integer, which is then passed to \u003ccode\u003ememcpy()\u003c/code\u003e in \u003ccode\u003estore_block()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ememcpy()\u003c/code\u003e operation attempts to copy an excessively large amount of data, resulting in an immediate bootloader crash and device failure to boot, with potential memory corruption if \u003ccode\u003eCONFIG_LMB\u003c/code\u003e is disabled.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-29008 leads to a denial of service (DoS) by causing the affected U-Boot bootloader to crash. This prevents the device from successfully booting, rendering it inoperable until manual intervention or a power cycle. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity. Furthermore, if the \u003ccode\u003eCONFIG_LMB\u003c/code\u003e option is disabled, the arbitrary large \u003ccode\u003ememcpy()\u003c/code\u003e operation could result in memory corruption, potentially leading to further compromise beyond a mere crash, though direct code execution is not explicitly detailed. This impacts embedded devices and systems that rely on U-Boot for their boot process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch U-Boot to a version beyond 2026.04-rc3 to remediate CVE-2026-29008.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection/prevention systems (IDS/IPS) to block malformed TCP SYN+ACK packets, particularly those with anomalous data offset values associated with CVE-2026-29008 exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview network firewall rules to ensure only legitimate and properly formed network traffic reaches critical embedded devices running U-Boot.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T17:18:19Z","date_published":"2026-07-08T17:18:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/","summary":"An integer underflow vulnerability (CVE-2026-29008) in U-Boot's `tcp_rx_state_machine()` function allows a network-adjacent attacker to crash the bootloader by sending a crafted TCP SYN+ACK packet, potentially preventing device boot and leading to memory corruption.","title":"CVE-2026-29008: U-Boot Integer Underflow Leads to Bootloader Crash","url":"https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/"}],"language":"en","title":"CraftedSignal Threat Feed - U-Boot (Through 2026.04-Rc3)","version":"https://jsonfeed.org/version/1.1"}