Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker must answer U-Boot's outbound TCP connection on the local segment during netboot, so AV:A; no auth or UI; impact is boot-time DoS only, hence A:H and C:N/I:N.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a manipulated data offset field causing payload_len to become negative. When the TCP_SYN_SENT handler calls tcp_rx_user_data() without invoking tcp_seg_in_wnd() validation, the negative payload_len is implicitly converted to a large unsigned integer (e.g., 0xFFFFFFD8) and passed to memcpy() in store_block(), causing an immediate crash that prevents device boot and may enable memory corruption when CONFIG_LMB is disabled.
AnalysisAI
Denial of service (with conditional memory corruption) in Das U-Boot bootloader versions through 2026.04-rc3 lets a network-adjacent attacker crash the device before the OS loads by returning a malformed TCP SYN+ACK to a connection U-Boot has initiated. Because the CVSS 4.0 vector (VA:H, no confidentiality/integrity impact) reflects an availability-only bug rooted in an integer underflow (CWE-191), the practical outcome is a bricked/failed boot; when CONFIG_LMB is disabled, the same underflow can corrupt memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target U-Boot instance must be actively performing an outbound TCP connection and sitting in the TCP_SYN_SENT state - in practice a TCP-based netboot/download (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score is 8.7 (High) driven solely by VA:H - availability - with VC:N/VI:N, confirming this is fundamentally a boot-time DoS rather than a code-execution bug in the common case. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same network segment as an embedded device waits for (or triggers) the device to perform a TCP-based network boot/download, placing U-Boot in TCP_SYN_SENT state. The attacker responds with a crafted TCP SYN+ACK whose data-offset field forces payload_len negative; the resulting oversized memcpy in store_block() crashes U-Boot, denying boot. … |
| Remediation | Upstream fix available via the U-Boot mailing list (https://lists.denx.de/pipermail/u-boot/2026-May/617853.html); released patched version not independently confirmed from the provided data, so rebuild firmware from a U-Boot revision that adds tcp_seg_in_wnd() validation before tcp_rx_user_data() in the TCP_SYN_SENT path, or backport that patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all devices and systems running Das U-Boot through version 2026.04-rc3; determine network accessibility and criticality of affected bootloaders. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md"
Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. Rated high severity (CVSS 7.8), this vu
Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images
nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a fai
DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traf
There exists an unchecked length field in UBoot. Rated high severity (CVSS 7.7), this vulnerability is no authentication
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-191 – Integer Underflow
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42332
GHSA-3qwj-q697-4ppr