PatchSiren

PatchSiren cyber security CVE debrief

CVE-2019-14192 Denx CVE debrief

CVE-2019-14192 is a critical memory-corruption flaw in Das U-Boot’s network packet handling. According to the NVD record, a UDP packet parsed through nc_input_packet can drive an integer underflow in net_process_received_packet, leading to an unbounded memcpy. The CVSS 3.0 vector is network-reachable, requires no privileges or user interaction, and is scored 9.8. Systems using affected U-Boot releases through 2019.07 should be treated as high priority for review and remediation.

Vendor
Denx
Product
CVE-2019-14192
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2019-07-31
Original CVE updated
2026-05-12
Advisory published
2019-07-31
Advisory updated
2026-05-12

Who should care

Embedded device vendors, firmware maintainers, and operators of products that use U-Boot for boot-time networking, provisioning, or network boot paths should care most. This includes downstream integrators that ship custom U-Boot forks or reuse vendor trees without regularly backporting fixes.

Technical summary

The supplied NVD record identifies two weakness classes, CWE-191 (integer underflow) and CWE-787 (out-of-bounds write). The flaw is described as an unbounded memcpy during UDP packet parsing, triggered by an integer underflow in net_process_received_packet while processing nc_input_packet. NVD lists affected U-Boot versions through 2019.07 and assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with no authentication or user interaction required.

Defensive priority

Immediate. This is a critical, remotely reachable memory-corruption issue in a bootloader component, so affected deployments should be inventoried and remediated as soon as possible.

Recommended defensive actions

  • Inventory all products, firmware images, and downstream forks that include U-Boot and confirm whether they are at or below 2019.07.
  • Apply the upstream or vendor-provided fix from official U-Boot guidance, or upgrade to a remediated release.
  • Restrict exposure of boot-time network services and provisioning paths to trusted networks only, especially where UDP-based boot traffic is possible.
  • Backport the fix into any custom downstream tree and re-test packet-length validation around the affected parsing path.
  • Track vendor advisories and NVD updates for this CVE to confirm remediation status across all deployed product lines.

Evidence notes

Evidence is limited to the supplied NVD and linked reference corpus. The NVD record was published on 2019-07-31 and modified on 2026-05-12. NVD lists affected CPE coverage for denx:u-boot through version 2019.07, with weaknesses CWE-191 and CWE-787 and CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The record also cites third-party and project references, including a Semmle advisory, the U-Boot GitLab project, and a Siemens CERT advisory reference.

Official resources

Publicly disclosed in the NVD record on 2019-07-31; this debrief reflects the record as modified on 2026-05-12.