<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>U-Boot (Through 2026.04-Rc3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/u-boot-through-2026.04-rc3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 17:18:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/u-boot-through-2026.04-rc3/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-29008: U-Boot Integer Underflow Leads to Bootloader Crash</title><link>https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/</link><pubDate>Wed, 08 Jul 2026 17:18:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/</guid><description>An integer underflow vulnerability (CVE-2026-29008) in U-Boot's `tcp_rx_state_machine()` function allows a network-adjacent attacker to crash the bootloader by sending a crafted TCP SYN+ACK packet, potentially preventing device boot and leading to memory corruption.</description><content:encoded><![CDATA[<p>U-Boot versions up to and including 2026.04-rc3 are susceptible to an integer underflow vulnerability (CVE-2026-29008) within the <code>tcp_rx_state_machine()</code> function, located in <code>net/tcp.c</code>. This flaw enables a network-adjacent attacker to trigger a bootloader crash, thereby preventing the device from booting. The attack involves sending a specially crafted TCP SYN+ACK packet where the data offset field is manipulated. This manipulation causes the <code>payload_len</code> variable to become negative. Subsequently, this negative value is implicitly converted into a large unsigned integer when passed to <code>memcpy()</code> within the <code>store_block()</code> function, leading to an excessive memory copy operation and an immediate system crash. If <code>CONFIG_LMB</code> is disabled, this could also result in memory corruption. This vulnerability poses a significant denial-of-service risk for embedded systems utilizing affected U-Boot versions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains network adjacency to a vulnerable device running U-Boot.</li>
<li>The attacker crafts a malicious TCP SYN+ACK packet.</li>
<li>The data offset field within the crafted TCP SYN+ACK packet is manipulated to an invalid value.</li>
<li>The vulnerable U-Boot bootloader receives the malformed TCP SYN+ACK packet in its <code>tcp_rx_state_machine()</code> function.</li>
<li>During processing, the manipulated data offset causes the <code>payload_len</code> variable to become a negative integer.</li>
<li>The <code>TCP_SYN_SENT</code> handler calls <code>tcp_rx_user_data()</code> without proper <code>tcp_seg_in_wnd()</code> validation for the malformed packet.</li>
<li>The negative <code>payload_len</code> is implicitly converted to a very large unsigned integer, which is then passed to <code>memcpy()</code> in <code>store_block()</code>.</li>
<li>The <code>memcpy()</code> operation attempts to copy an excessively large amount of data, resulting in an immediate bootloader crash and device failure to boot, with potential memory corruption if <code>CONFIG_LMB</code> is disabled.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-29008 leads to a denial of service (DoS) by causing the affected U-Boot bootloader to crash. This prevents the device from successfully booting, rendering it inoperable until manual intervention or a power cycle. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity. Furthermore, if the <code>CONFIG_LMB</code> option is disabled, the arbitrary large <code>memcpy()</code> operation could result in memory corruption, potentially leading to further compromise beyond a mere crash, though direct code execution is not explicitly detailed. This impacts embedded devices and systems that rely on U-Boot for their boot process.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch U-Boot to a version beyond 2026.04-rc3 to remediate CVE-2026-29008.</li>
<li>Implement network intrusion detection/prevention systems (IDS/IPS) to block malformed TCP SYN+ACK packets, particularly those with anomalous data offset values associated with CVE-2026-29008 exploitation attempts.</li>
<li>Review network firewall rules to ensure only legitimate and properly formed network traffic reaches critical embedded devices running U-Boot.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>bootloader</category><category>network</category><category>embedded-systems</category></item></channel></rss>