Skip to main content

U-Boot EUVDEUVD-2026-42332

| CVE-2026-29008 HIGH
Integer Underflow (CWE-191)
2026-07-08 VulnCheck GHSA-3qwj-q697-4ppr
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Attacker must answer U-Boot's outbound TCP connection on the local segment during netboot, so AV:A; no auth or UI; impact is boot-time DoS only, hence A:H and C:N/I:N.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 17:01 vuln.today

DescriptionCVE.org

U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a manipulated data offset field causing payload_len to become negative. When the TCP_SYN_SENT handler calls tcp_rx_user_data() without invoking tcp_seg_in_wnd() validation, the negative payload_len is implicitly converted to a large unsigned integer (e.g., 0xFFFFFFD8) and passed to memcpy() in store_block(), causing an immediate crash that prevents device boot and may enable memory corruption when CONFIG_LMB is disabled.

AnalysisAI

Denial of service (with conditional memory corruption) in Das U-Boot bootloader versions through 2026.04-rc3 lets a network-adjacent attacker crash the device before the OS loads by returning a malformed TCP SYN+ACK to a connection U-Boot has initiated. Because the CVSS 4.0 vector (VA:H, no confidentiality/integrity impact) reflects an availability-only bug rooted in an integer underflow (CWE-191), the practical outcome is a bricked/failed boot; when CONFIG_LMB is disabled, the same underflow can corrupt memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent-network position during netboot
Delivery
Device initiates TCP download (SYN_SENT)
Exploit
Reply with malformed SYN+ACK (bad data offset)
Execution
Integer underflow makes payload_len negative
Persist
Oversized memcpy in store_block()
Impact
Bootloader crash, device fails to boot

Vulnerability AssessmentAI

Exploitation The target U-Boot instance must be actively performing an outbound TCP connection and sitting in the TCP_SYN_SENT state - in practice a TCP-based netboot/download (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 8.7 (High) driven solely by VA:H - availability - with VC:N/VI:N, confirming this is fundamentally a boot-time DoS rather than a code-execution bug in the common case. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network segment as an embedded device waits for (or triggers) the device to perform a TCP-based network boot/download, placing U-Boot in TCP_SYN_SENT state. The attacker responds with a crafted TCP SYN+ACK whose data-offset field forces payload_len negative; the resulting oversized memcpy in store_block() crashes U-Boot, denying boot. …
Remediation Upstream fix available via the U-Boot mailing list (https://lists.denx.de/pipermail/u-boot/2026-May/617853.html); released patched version not independently confirmed from the provided data, so rebuild firmware from a U-Boot revision that adds tcp_seg_in_wnd() validation before tcp_rx_user_data() in the TCP_SYN_SENT path, or backport that patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all devices and systems running Das U-Boot through version 2026.04-rc3; determine network accessibility and criticality of affected bootloaders. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in U Boot

View all
CVE-2022-34835 CRITICAL POC
9.8 Jun 30

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md"

CVE-2022-30790 HIGH POC
7.8 Jun 08

Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. Rated high severity (CVSS 7.8), this vu

CVE-2020-10648 HIGH POC
7.8 Mar 19

Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images

CVE-2022-30767 CRITICAL POC
9.8 May 16

nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a fai

CVE-2018-18439 CRITICAL POC
9.8 Nov 20

DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traf

CVE-2022-2347 HIGH POC
7.7 Sep 23

There exists an unchecked length field in UBoot. Rated high severity (CVSS 7.7), this vulnerability is no authentication

CVE-2019-14199 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14193 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14203 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14202 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14201 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14200 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

EUVD-2026-42332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy