{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/u-boot/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-29009"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["U-Boot \u003c= 2026.04-rc3"],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","vulnerability","firmware","nfs","u-boot"],"_cs_type":"advisory","_cs_vendors":["U-Boot Project"],"content_html":"\u003cp\u003eU-Boot through 2026.04-rc3 contains a severe buffer overflow vulnerability (CVE-2026-29009) residing within the \u003ccode\u003enfs_readlink_reply()\u003c/code\u003e function in \u003ccode\u003enet/nfs-common.c\u003c/code\u003e. This flaw is exploitable when \u003ccode\u003eCONFIG_CMD_NFS\u003c/code\u003e is enabled, a common configuration for devices that boot over a network. A malicious or compromised NFS server can exploit this by crafting a sequence of two or more READLINK responses. Each response must contain a relative symlink target approximately 1100 bytes long. When these are appended by the vulnerable U-Boot client without proper cumulative length validation, the 2048-byte \u003ccode\u003enfs_path_buff\u003c/code\u003e buffer overflows. This leads to the corruption of adjacent BSS variables, including critical network configuration data like \u003ccode\u003enfs_server_ip\u003c/code\u003e, \u003ccode\u003enfs_server_mount_port\u003c/code\u003e, \u003ccode\u003enfs_server_port\u003c/code\u003e, \u003ccode\u003enfs_our_port\u003c/code\u003e, \u003ccode\u003enfs_state\u003c/code\u003e, and \u003ccode\u003erpc_id\u003c/code\u003e. The consequence is memory corruption and the potential for an attacker to gain control over the U-Boot NFS client's state machine, enabling further compromise of the embedded device or system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or gains control of an NFS server.\u003c/li\u003e\n\u003cli\u003eA vulnerable U-Boot client, with \u003ccode\u003eCONFIG_CMD_NFS\u003c/code\u003e enabled, attempts to perform an NFS operation (e.g., read a symlink) from the attacker-controlled NFS server during its boot process.\u003c/li\u003e\n\u003cli\u003eThe attacker's NFS server sends the first READLINK response to the U-Boot client. This response contains a crafted relative symlink target of approximately 1100 bytes.\u003c/li\u003e\n\u003cli\u003eThe U-Boot client's \u003ccode\u003enfs_readlink_reply()\u003c/code\u003e function processes this response and appends the symlink target to its internal \u003ccode\u003enfs_path_buff\u003c/code\u003e buffer, which has a capacity of 2048 bytes.\u003c/li\u003e\n\u003cli\u003eThe attacker's NFS server then sends a second READLINK response, also containing a relative symlink target of approximately 1100 bytes.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enfs_readlink_reply()\u003c/code\u003e function attempts to append this second symlink target to \u003ccode\u003enfs_path_buff\u003c/code\u003e without validating the cumulative length of the appended data.\u003c/li\u003e\n\u003cli\u003eThis second append causes the \u003ccode\u003enfs_path_buff\u003c/code\u003e buffer to overflow, corrupting adjacent BSS variables in memory, such as \u003ccode\u003enfs_server_ip\u003c/code\u003e, \u003ccode\u003enfs_state\u003c/code\u003e, and \u003ccode\u003erpc_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe memory corruption provides the attacker with potential control over the U-Boot NFS client's state machine, allowing for manipulation of the boot process or further arbitrary actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29009 can lead to severe memory corruption within the U-Boot environment. Attackers can corrupt critical BSS variables, including network configuration parameters and the internal state of the NFS client. This grants the attacker control over the U-Boot NFS client state machine, potentially allowing them to manipulate the boot process, redirect network traffic, or execute arbitrary code during the initial boot stages. While no specific victim counts or industry sectors are identified in the disclosure, any embedded system or device utilizing U-Boot with NFS boot capabilities enabled is at risk, potentially leading to full device compromise before the main operating system even loads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-29009 on all affected U-Boot installations immediately.\u003c/li\u003e\n\u003cli\u003eReview and disable the \u003ccode\u003eCONFIG_CMD_NFS\u003c/code\u003e option in U-Boot builds if NFS boot functionality is not strictly required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T17:19:10Z","date_published":"2026-07-08T17:19:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-29009-u-boot-buffer-overflow/","summary":"A buffer overflow vulnerability exists in the nfs_readlink_reply() function of U-Boot versions up to 2026.04-rc3 when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to exploit it by sending multiple relative symlink targets, each approximately 1100 bytes long, to overflow the 2048-byte nfs_path_buff, corrupting adjacent BSS variables and potentially leading to memory corruption and control over the NFS client's state machine.","title":"CVE-2026-29009 - U-Boot Buffer Overflow in nfs_readlink_reply()","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-29009-u-boot-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - U-Boot","version":"https://jsonfeed.org/version/1.1"}