CVE-2019-13103 Denx CVE debrief

Who should care

Embedded device vendors, OEM firmware teams, and security engineers responsible for U-Boot-based boot chains should prioritize this issue, especially where the bootloader may parse partition tables from untrusted or externally supplied storage.

Technical summary

The supplied NVD data describes a CWE-674 uncontrolled recursion issue in Denx U-Boot. A crafted self-referential DOS partition table can cause the parser to recurse indefinitely during boot-time processing, leading to stack exhaustion and potential memory corruption. The affected scope in the corpus includes U-Boot versions through 2019.07-rc4, including the 2019.04 release line and the 2019.07 release candidates rc1 through rc4. The CVSS vector provided by NVD is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H.

Defensive priority

High for any fleet using affected U-Boot builds. Prioritize systems that boot from media or images whose partition tables may not be fully trusted, because the impact is boot failure and possible data corruption in a privileged early-boot component.

Recommended defensive actions

• Inventory all products and firmware images that embed U-Boot, and confirm whether they use versions in the affected range listed by NVD.
• Apply the vendor/U-Boot patch referenced in the mailing list and commit-history links, and move affected deployments to a non-vulnerable release.
• Treat DOS partition-table parsing as untrusted input; add or verify recursion-depth limits and cycle detection in any downstream forks or board-specific modifications.
• Test boot paths in staging with malformed partition-table handling to confirm the device fails safely instead of recursing indefinitely.
• Monitor for boot failures, watchdog resets, or unexpected early-boot crashes on devices that may encounter crafted storage media or images.
• Use the Siemens advisories and U-Boot mailing-list discussion as remediation references when coordinating fixes across vendors and downstream integrators.

Evidence notes

The supplied corpus shows CVE publication on 2019-07-29 and later record modification on 2026-05-12; the modification date is NVD record maintenance, not the vulnerability issue date. NVD identifies the weakness as CWE-674 and provides the CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The affected CPE criteria in the corpus cover U-Boot through 2019.07-rc4. Patch/advisory references include Siemens advisories, the U-Boot mailing-list thread, and U-Boot commit history.

Official resources