CVE-2019-14198 Denx CVE debrief

Who should care

Embedded device vendors, firmware teams, and operators of systems that use U-Boot for network booting should care most. This is especially relevant for products that rely on NFSv3 boot flows or ship U-Boot-based firmware in exposed or field-deployed devices.

Technical summary

The NVD record classifies the weakness as CWE-787 and assigns CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The affected product criterion is denx:u-boot through 2019.07. The issue is described as an unbounded memcpy caused by a failed length check in nfs_read_reply during store_block handling in the NFSv3 case, which creates a memory-safety risk on attacker-influenced network input.

Defensive priority

Immediate. This is a critical, remotely reachable memory-corruption flaw in bootloader code and should be addressed as soon as practical in any environment that uses the affected U-Boot versions or NFS boot paths.

Recommended defensive actions

• Upgrade U-Boot to a version newer than 2019.07 that includes the fix for CVE-2019-14198.
• If NFS boot is not required, disable or remove the NFS boot path to reduce exposure.
• Inventory devices and firmware images to identify any use of affected U-Boot versions.
• Limit access to boot-time network services and isolate management or provisioning networks that may reach U-Boot NFS functionality.
• Follow vendor and project advisories for patch availability and deployment guidance.

Evidence notes

The debrief is grounded in the NVD CVE record and the official project/vendor references listed in the source corpus. NVD identifies the affected CPE as denx:u-boot through 2019.07, classifies the weakness as CWE-787, and assigns CVSS 3.0 9.8. The description specifically cites an unbounded memcpy with a failed length check in nfs_read_reply during the NFSv3 store_block path. No exploit details are included here.

Official resources