CVE-2019-14194 Denx CVE debrief

Who should care

Embedded device vendors, OEM firmware teams, bootloader maintainers, and security teams responsible for systems that ship or deploy U-Boot, especially where network boot or NFS boot is enabled.

Technical summary

The NVD record states that U-Boot through 2019.07 contains an unbounded memcpy in nfs_read_reply when calling store_block in the NFSv2 case, with a failed length check. NVD maps the weakness to CWE-787 and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable memory-corruption issue with high impact.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade to a U-Boot release that includes the vendor or upstream fix for CVE-2019-14194.
• If NFS/network boot is not required, disable or remove that boot path to reduce exposure.
• Apply downstream firmware/vendor patches to any shipped bootloader images, including board-specific forks.
• Inventory deployed devices and build artifacts to identify U-Boot versions at or below 2019.07.
• Restrict access to boot services and trusted management networks where network boot must remain enabled.
• Review vendor advisories and upstream U-Boot security references for patch guidance and backport status.

Evidence notes

The debrief is based on the supplied NVD/CVE corpus: description text says the issue exists in Das U-Boot through 2019.07 and involves an unbounded memcpy with a failed length check at nfs_read_reply when calling store_block in the NFSv2 case. NVD assigns CWE-787 and CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Reference links supplied in the corpus include the CVE record, NVD detail, a Semmle advisory blog, the U-Boot repository, and a Siemens advisory page. CVE published date used here is 2019-07-31; the later NVD modification date is noted only as record context.

Official resources