{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/u-boot-project/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-29009"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["U-Boot \u003c= 2026.04-rc3"],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","vulnerability","firmware","nfs","u-boot"],"_cs_type":"advisory","_cs_vendors":["U-Boot Project"],"content_html":"\u003cp\u003eU-Boot through 2026.04-rc3 contains a severe buffer overflow vulnerability (CVE-2026-29009) residing within the \u003ccode\u003enfs_readlink_reply()\u003c/code\u003e function in \u003ccode\u003enet/nfs-common.c\u003c/code\u003e. This flaw is exploitable when \u003ccode\u003eCONFIG_CMD_NFS\u003c/code\u003e is enabled, a common configuration for devices that boot over a network. A malicious or compromised NFS server can exploit this by crafting a sequence of two or more READLINK responses. Each response must contain a relative symlink target approximately 1100 bytes long. When these are appended by the vulnerable U-Boot client without proper cumulative length validation, the 2048-byte \u003ccode\u003enfs_path_buff\u003c/code\u003e buffer overflows. This leads to the corruption of adjacent BSS variables, including critical network configuration data like \u003ccode\u003enfs_server_ip\u003c/code\u003e, \u003ccode\u003enfs_server_mount_port\u003c/code\u003e, \u003ccode\u003enfs_server_port\u003c/code\u003e, \u003ccode\u003enfs_our_port\u003c/code\u003e, \u003ccode\u003enfs_state\u003c/code\u003e, and \u003ccode\u003erpc_id\u003c/code\u003e. The consequence is memory corruption and the potential for an attacker to gain control over the U-Boot NFS client's state machine, enabling further compromise of the embedded device or system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or gains control of an NFS server.\u003c/li\u003e\n\u003cli\u003eA vulnerable U-Boot client, with \u003ccode\u003eCONFIG_CMD_NFS\u003c/code\u003e enabled, attempts to perform an NFS operation (e.g., read a symlink) from the attacker-controlled NFS server during its boot process.\u003c/li\u003e\n\u003cli\u003eThe attacker's NFS server sends the first READLINK response to the U-Boot client. This response contains a crafted relative symlink target of approximately 1100 bytes.\u003c/li\u003e\n\u003cli\u003eThe U-Boot client's \u003ccode\u003enfs_readlink_reply()\u003c/code\u003e function processes this response and appends the symlink target to its internal \u003ccode\u003enfs_path_buff\u003c/code\u003e buffer, which has a capacity of 2048 bytes.\u003c/li\u003e\n\u003cli\u003eThe attacker's NFS server then sends a second READLINK response, also containing a relative symlink target of approximately 1100 bytes.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enfs_readlink_reply()\u003c/code\u003e function attempts to append this second symlink target to \u003ccode\u003enfs_path_buff\u003c/code\u003e without validating the cumulative length of the appended data.\u003c/li\u003e\n\u003cli\u003eThis second append causes the \u003ccode\u003enfs_path_buff\u003c/code\u003e buffer to overflow, corrupting adjacent BSS variables in memory, such as \u003ccode\u003enfs_server_ip\u003c/code\u003e, \u003ccode\u003enfs_state\u003c/code\u003e, and \u003ccode\u003erpc_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe memory corruption provides the attacker with potential control over the U-Boot NFS client's state machine, allowing for manipulation of the boot process or further arbitrary actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29009 can lead to severe memory corruption within the U-Boot environment. Attackers can corrupt critical BSS variables, including network configuration parameters and the internal state of the NFS client. This grants the attacker control over the U-Boot NFS client state machine, potentially allowing them to manipulate the boot process, redirect network traffic, or execute arbitrary code during the initial boot stages. While no specific victim counts or industry sectors are identified in the disclosure, any embedded system or device utilizing U-Boot with NFS boot capabilities enabled is at risk, potentially leading to full device compromise before the main operating system even loads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-29009 on all affected U-Boot installations immediately.\u003c/li\u003e\n\u003cli\u003eReview and disable the \u003ccode\u003eCONFIG_CMD_NFS\u003c/code\u003e option in U-Boot builds if NFS boot functionality is not strictly required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T17:19:10Z","date_published":"2026-07-08T17:19:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-29009-u-boot-buffer-overflow/","summary":"A buffer overflow vulnerability exists in the nfs_readlink_reply() function of U-Boot versions up to 2026.04-rc3 when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to exploit it by sending multiple relative symlink targets, each approximately 1100 bytes long, to overflow the 2048-byte nfs_path_buff, corrupting adjacent BSS variables and potentially leading to memory corruption and control over the NFS client's state machine.","title":"CVE-2026-29009 - U-Boot Buffer Overflow in nfs_readlink_reply()","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-29009-u-boot-buffer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-29008"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["U-Boot (through 2026.04-rc3)"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","vulnerability","bootloader","network","embedded-systems"],"_cs_type":"advisory","_cs_vendors":["U-Boot Project"],"content_html":"\u003cp\u003eU-Boot versions up to and including 2026.04-rc3 are susceptible to an integer underflow vulnerability (CVE-2026-29008) within the \u003ccode\u003etcp_rx_state_machine()\u003c/code\u003e function, located in \u003ccode\u003enet/tcp.c\u003c/code\u003e. This flaw enables a network-adjacent attacker to trigger a bootloader crash, thereby preventing the device from booting. The attack involves sending a specially crafted TCP SYN+ACK packet where the data offset field is manipulated. This manipulation causes the \u003ccode\u003epayload_len\u003c/code\u003e variable to become negative. Subsequently, this negative value is implicitly converted into a large unsigned integer when passed to \u003ccode\u003ememcpy()\u003c/code\u003e within the \u003ccode\u003estore_block()\u003c/code\u003e function, leading to an excessive memory copy operation and an immediate system crash. If \u003ccode\u003eCONFIG_LMB\u003c/code\u003e is disabled, this could also result in memory corruption. This vulnerability poses a significant denial-of-service risk for embedded systems utilizing affected U-Boot versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network adjacency to a vulnerable device running U-Boot.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious TCP SYN+ACK packet.\u003c/li\u003e\n\u003cli\u003eThe data offset field within the crafted TCP SYN+ACK packet is manipulated to an invalid value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable U-Boot bootloader receives the malformed TCP SYN+ACK packet in its \u003ccode\u003etcp_rx_state_machine()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring processing, the manipulated data offset causes the \u003ccode\u003epayload_len\u003c/code\u003e variable to become a negative integer.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTCP_SYN_SENT\u003c/code\u003e handler calls \u003ccode\u003etcp_rx_user_data()\u003c/code\u003e without proper \u003ccode\u003etcp_seg_in_wnd()\u003c/code\u003e validation for the malformed packet.\u003c/li\u003e\n\u003cli\u003eThe negative \u003ccode\u003epayload_len\u003c/code\u003e is implicitly converted to a very large unsigned integer, which is then passed to \u003ccode\u003ememcpy()\u003c/code\u003e in \u003ccode\u003estore_block()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ememcpy()\u003c/code\u003e operation attempts to copy an excessively large amount of data, resulting in an immediate bootloader crash and device failure to boot, with potential memory corruption if \u003ccode\u003eCONFIG_LMB\u003c/code\u003e is disabled.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-29008 leads to a denial of service (DoS) by causing the affected U-Boot bootloader to crash. This prevents the device from successfully booting, rendering it inoperable until manual intervention or a power cycle. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity. Furthermore, if the \u003ccode\u003eCONFIG_LMB\u003c/code\u003e option is disabled, the arbitrary large \u003ccode\u003ememcpy()\u003c/code\u003e operation could result in memory corruption, potentially leading to further compromise beyond a mere crash, though direct code execution is not explicitly detailed. This impacts embedded devices and systems that rely on U-Boot for their boot process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch U-Boot to a version beyond 2026.04-rc3 to remediate CVE-2026-29008.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection/prevention systems (IDS/IPS) to block malformed TCP SYN+ACK packets, particularly those with anomalous data offset values associated with CVE-2026-29008 exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview network firewall rules to ensure only legitimate and properly formed network traffic reaches critical embedded devices running U-Boot.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T17:18:19Z","date_published":"2026-07-08T17:18:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/","summary":"An integer underflow vulnerability (CVE-2026-29008) in U-Boot's `tcp_rx_state_machine()` function allows a network-adjacent attacker to crash the bootloader by sending a crafted TCP SYN+ACK packet, potentially preventing device boot and leading to memory corruption.","title":"CVE-2026-29008: U-Boot Integer Underflow Leads to Bootloader Crash","url":"https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/"}],"language":"en","title":"CraftedSignal Threat Feed - U-Boot Project","version":"https://jsonfeed.org/version/1.1"}