Skip to main content

Das U-Boot EUVDEUVD-2026-42333

| CVE-2026-29009 HIGH
Classic Buffer Overflow (CWE-120)
2026-07-08 VulnCheck GHSA-rqrq-75p3-gc68
8.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-reachable via a malicious/compromised NFS server with no auth (PR:N) and simple crafted responses (AC:L); memory corruption yields high availability impact and limited integrity, no disclosure (C:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 17:00 vuln.today

DescriptionCVE.org

U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.

AnalysisAI

Server-controlled buffer overflow in Das U-Boot (bootloader) through 2026.04-rc3 lets a malicious or compromised NFS server corrupt memory in an U-Boot client built with CONFIG_CMD_NFS. The flaw lives in nfs_readlink_reply() (net/nfs-common.c), where relative symlink targets from consecutive READLINK responses are appended to the fixed 2048-byte nfs_path_buff without cumulative length checks; two responses of ~1100 bytes each overflow it and clobber adjacent BSS state (nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, rpc_id), giving control over the NFS client state machine. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain NFS server or on-path position
Delivery
Wait for U-Boot NFS READLINK request
Exploit
Return multiple oversized relative symlink targets
Execution
Append past 2048-byte nfs_path_buff
Persist
Overwrite adjacent BSS state variables
Impact
Hijack NFS client state machine / crash boot

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target U-Boot binary is built with CONFIG_CMD_NFS enabled and that the device performs an NFS operation which triggers a READLINK on a symlink whose target is relative. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:N/VI:L/VA:H, all subsequent-system metrics N) scores 8.8 and frames this as a network-reachable, low-complexity issue with high availability impact and limited integrity impact - consistent with memory corruption that can hang or hijack the NFS client without direct disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who operates, compromises, or MITMs the NFS server that a U-Boot device contacts during network boot waits for the client to issue a READLINK on a symlink, then replies with two or more crafted responses each carrying a ~1100-byte relative symlink target. The appended data overruns the 2048-byte nfs_path_buff and rewrites adjacent BSS state (server IP, ports, nfs_state, rpc_id), letting the attacker crash the boot or steer the NFS client state machine. …
Remediation No specific vendor-released patched version was provided in the input, and the fix reference points to the U-Boot developer mailing list rather than a tagged release, so this is best characterized as an upstream fix discussed/available on the mailing list (https://lists.denx.de/pipermail/u-boot/2026-May/617853.html) with a released patched version not independently confirmed; track the u-boot.org release notes and the VulnCheck advisory (https://www.vulncheck.com/advisories/u-boot-rc3-buffer-overflow-in-nfs-readlink-reply-via-nfs-readlink) for the tagged build that adds cumulative-length validation in nfs_readlink_reply(), then rebuild and reflash affected firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running U-Boot with CONFIG_CMD_NFS enabled, particularly those using NFS boot. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in U Boot

View all
CVE-2022-34835 CRITICAL POC
9.8 Jun 30

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md"

CVE-2022-30790 HIGH POC
7.8 Jun 08

Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. Rated high severity (CVSS 7.8), this vu

CVE-2020-10648 HIGH POC
7.8 Mar 19

Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images

CVE-2022-30767 CRITICAL POC
9.8 May 16

nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a fai

CVE-2018-18439 CRITICAL POC
9.8 Nov 20

DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traf

CVE-2022-2347 HIGH POC
7.7 Sep 23

There exists an unchecked length field in UBoot. Rated high severity (CVSS 7.7), this vulnerability is no authentication

CVE-2019-14199 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14193 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14203 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14202 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14201 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2019-14200 CRITICAL
9.8 Jul 31

An issue was discovered in Das U-Boot through 2019.07. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

EUVD-2026-42333 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy