PatchSiren cyber security CVE debrief

CVE-2019-14193 Denx CVE debrief

CVE-2019-14193 is a critical memory-corruption vulnerability in Das U-Boot through 2019.07. NVD describes an unbounded memcpy with an unvalidated length in nfs_readlink_reply after calculating a new path length, and rates the issue 9.8 (CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vendor: Denx
Product: CVE-2019-14193
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2019-07-31
Original CVE updated: 2026-05-12
Advisory published: 2019-07-31
Advisory updated: 2026-05-12

Who should care

Teams maintaining or deploying U-Boot/DENX U-Boot should treat this as high priority, especially if the firmware uses U-Boot NFS functionality or receives network-controlled NFS data.

Technical summary

The vulnerable code path is nfs_readlink_reply. According to the CVE description, the function calculates a new path length and then enters an if block that performs memcpy using an unvalidated length. That pattern maps to CWE-787 (out-of-bounds write / memory corruption) and can lead to severe confidentiality, integrity, and availability impact under the NVD-assigned CVSS vector.

Defensive priority

Critical. The NVD record assigns a 9.8 score and a network-reachable, no-authentication, no-user-interaction vector. Prioritize inventorying U-Boot instances, confirming whether versions at or below 2019.07 are present, and applying vendor guidance or updates before relying on the affected NFS path handling.

Recommended defensive actions

Inventory devices and firmware images that include U-Boot and identify any versions through 2019.07.
Apply the vendor or upstream fix guidance referenced in the advisory and repository links once a patched release is confirmed.
If NFS-based functionality is not required in a given deployment, disable or restrict it as part of the mitigation plan.
Treat systems that process untrusted network input during boot as urgent patch candidates and validate them in staging before field rollout.
Coordinate firmware update and rollback plans for embedded devices where replacing U-Boot requires controlled maintenance windows.

Evidence notes

This debrief is based only on the supplied CVE record and its referenced links. The NVD metadata states: affected versions through 2019.07, CWE-787, and CVSS 3.0 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The description specifically cites an unbounded memcpy with an unvalidated length in nfs_readlink_reply after calculating the new path length. The CVE was published on 2019-07-31; the later 2026-05-12 modification date is metadata update context, not the disclosure date.

Official resources

CVE-2019-14193 CVE record
CVE.org
CVE-2019-14193 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Publicly disclosed in the CVE record on 2019-07-31. The supplied NVD record was later modified on 2026-05-12; that later date reflects record maintenance, not original disclosure timing.