CVE-2019-14195 Denx CVE debrief

Who should care

Embedded platform teams, bootloader maintainers, OEMs, and operators who use U-Boot in network-boot or NFS-based startup paths. Security teams responsible for firmware, device lifecycle management, and supply-chain validation should also prioritize review.

Technical summary

NVD describes the issue as an unbounded memcpy with an unvalidated length in nfs_readlink_reply, specifically in the else block after calculating the new path length. The affected product set is U-Boot through 2019.07, and NVD assigns CWE-787. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting a remotely reachable flaw with high impact.

Defensive priority

High. This is a pre-boot/bootloader vulnerability with remote attack surface in NFS-related functionality and a critical CVSS score. Systems that use U-Boot for network booting or unattended device provisioning should be reviewed first.

Recommended defensive actions

• Verify whether any deployed U-Boot builds are at or below 2019.07.
• Prioritize upgrading to a fixed U-Boot release or vendor-maintained build that explicitly addresses CVE-2019-14195.
• If immediate upgrade is not possible, disable or restrict NFS-based boot paths and any affected readlink-related network boot behavior.
• Rebuild and redeploy firmware images from trusted sources after patching, then confirm the active bootloader version on target devices.
• Use vendor advisories and official release notes to confirm whether downstream firmware packages include the fix.
• Add firmware inventory and SBOM checks so U-Boot versions are tracked across device fleets.

Evidence notes

The vulnerability description, affected version boundary, CVSS, and CWE come from the supplied NVD record. The CVE record and NVD detail pages are official references. The source corpus also lists a third-party advisory and the upstream U-Boot repository as references, but no additional technical claims beyond the NVD description are used here.

Official resources