Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via a malicious/compromised NFS server with no auth (PR:N) and simple crafted responses (AC:L); memory corruption yields high availability impact and limited integrity, no disclosure (C:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.
AnalysisAI
Server-controlled buffer overflow in Das U-Boot (bootloader) through 2026.04-rc3 lets a malicious or compromised NFS server corrupt memory in an U-Boot client built with CONFIG_CMD_NFS. The flaw lives in nfs_readlink_reply() (net/nfs-common.c), where relative symlink targets from consecutive READLINK responses are appended to the fixed 2048-byte nfs_path_buff without cumulative length checks; two responses of ~1100 bytes each overflow it and clobber adjacent BSS state (nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, rpc_id), giving control over the NFS client state machine. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target U-Boot binary is built with CONFIG_CMD_NFS enabled and that the device performs an NFS operation which triggers a READLINK on a symlink whose target is relative. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:N/VI:L/VA:H, all subsequent-system metrics N) scores 8.8 and frames this as a network-reachable, low-complexity issue with high availability impact and limited integrity impact - consistent with memory corruption that can hang or hijack the NFS client without direct disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who operates, compromises, or MITMs the NFS server that a U-Boot device contacts during network boot waits for the client to issue a READLINK on a symlink, then replies with two or more crafted responses each carrying a ~1100-byte relative symlink target. The appended data overruns the 2048-byte nfs_path_buff and rewrites adjacent BSS state (server IP, ports, nfs_state, rpc_id), letting the attacker crash the boot or steer the NFS client state machine. … |
| Remediation | No specific vendor-released patched version was provided in the input, and the fix reference points to the U-Boot developer mailing list rather than a tagged release, so this is best characterized as an upstream fix discussed/available on the mailing list (https://lists.denx.de/pipermail/u-boot/2026-May/617853.html) with a released patched version not independently confirmed; track the u-boot.org release notes and the VulnCheck advisory (https://www.vulncheck.com/advisories/u-boot-rc3-buffer-overflow-in-nfs-readlink-reply-via-nfs-readlink) for the tagged build that adds cumulative-length validation in nfs_readlink_reply(), then rebuild and reflash affected firmware. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running U-Boot with CONFIG_CMD_NFS enabled, particularly those using NFS boot. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md"
Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. Rated high severity (CVSS 7.8), this vu
Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images
nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a fai
DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traf
There exists an unchecked length field in UBoot. Rated high severity (CVSS 7.7), this vulnerability is no authentication
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42333
GHSA-rqrq-75p3-gc68