CVE-2019-14197 Denx CVE debrief

Who should care

Embedded device vendors, OEMs, firmware maintainers, and operators running U-Boot-based bootloaders should care most, especially if devices use NFS boot or other code paths that process NFS replies.

Technical summary

NVD lists CVE-2019-14197 as a CWE-125 out-of-bounds read affecting denx:u-boot through version 2019.07. The vulnerable path is nfs_read_reply, and the published CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) indicates a remotely reachable issue with no authentication or user interaction required. The main security concern is unintended memory exposure, with possible availability impact in affected bootloader contexts.

Defensive priority

Critical

Recommended defensive actions

• Inventory firmware and bootloader builds to find any U-Boot versions through 2019.07.
• Prioritize devices that enable NFS boot or otherwise use the NFS reply parsing path.
• Apply the vendor or upstream U-Boot fix, or upgrade to a release newer than the affected range.
• If NFS boot is not required, disable or restrict it in firmware configuration.
• Validate patched images in lab and production-like boot scenarios before broad rollout.
• Coordinate with device vendors for model-specific remediation guidance if you do not directly control the bootloader build.

Evidence notes

The supplied corpus shows an official NVD record published on 2019-07-31 and last modified on 2026-05-12. NVD maps the affected product to cpe:2.3:a:denx:u-boot:* with versionEndIncluding 2019.07, and lists CWE-125. References in the corpus include a Semmle advisory, the upstream U-Boot GitLab repository, and a Siemens CERT notice; however, the specific contents of those pages were not provided here, so this debrief stays within the NVD-described facts.

Official resources