PatchSiren

PatchSiren cyber security CVE debrief

CVE-2019-13104 Denx CVE debrief

CVE-2019-13104 is a high-severity memory corruption issue in Das U-Boot's ext4 filesystem handling. According to the CVE description, an underflow can cause memcpy() to overwrite a very large amount of data, including the whole stack, when reading a crafted ext4 filesystem. NVD rates the issue 7.8 HIGH with local access and user interaction required, so the main risk is to devices that parse untrusted storage or boot media during startup.

Vendor
Denx
Product
CVE-2019-13104
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2019-08-06
Original CVE updated
2026-05-12
Advisory published
2019-08-06
Advisory updated
2026-05-12

Who should care

Firmware and embedded Linux teams shipping U-Boot, OEMs and device vendors that boot from removable or externally sourced storage, downstream distro maintainers, and security teams responsible for embedded systems that may parse ext4 filesystems during boot.

Technical summary

The vulnerability is described as an underflow in U-Boot's ext4 path that can make memcpy() overwrite a very large amount of data, including the stack, while reading a crafted ext4 filesystem. NVD classifies the weakness as CWE-191 and CWE-787 and assigns CVSS 3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The published affected-version metadata spans multiple U-Boot 2016.09-2019.04 builds and 2019.07 release candidates/releases.

Defensive priority

High priority for any environment that boots from, mounts, or otherwise parses ext4 content from media that may not be trusted or fully controlled.

Recommended defensive actions

  • Upgrade U-Boot to a build that includes the upstream/vendor fix referenced in the DENX mailing list patch thread.
  • Inventory affected devices and firmware images against the NVD/CVE version ranges, including U-Boot 2016.09-2019.04 and 2019.07 release-candidate/release entries, and confirm any downstream backports.
  • Treat removable media, disk images, and other ext4 sources as untrusted until patched devices are verified.
  • Apply downstream vendor or distro advisories relevant to your platform, including openSUSE and Siemens references if those products are in your fleet.
  • Validate boot paths after remediation to ensure the firmware update did not break startup or storage parsing.
  • Reduce exposure to unknown boot media or operator-supplied filesystem images where practical, since the CVSS vector requires local access and user interaction.

Evidence notes

The supplied CVE description states that an underflow in Das U-Boot can cause memcpy() to overwrite a very large amount of data, including the whole stack, when reading a crafted ext4 filesystem. NVD records CVSS 7.8 HIGH, CWE-191 and CWE-787, and vulnerable CPE criteria covering multiple U-Boot versions plus downstream openSUSE entries. The DENX mailing list reference is the primary vendor patch/advisory pointer, while the openSUSE and Siemens advisories corroborate downstream impact and remediation activity.

Official resources

CVE published on 2019-08-06. The source record was modified later on 2026-05-12, but that metadata should not be treated as the vulnerability's disclosure date.