PatchSiren cyber security CVE debrief

CVE-2019-14199 Denx CVE debrief

CVE-2019-14199 is a critical memory-corruption issue in DENX U-Boot’s UDP packet handling. NVD describes an integer underflow in net_process_received_packet during udp_packet_handler processing that can lead to an unbounded memcpy when parsing a UDP packet.

Vendor: Denx
Product: CVE-2019-14199
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2019-07-31
Original CVE updated: 2026-05-12
Advisory published: 2019-07-31
Advisory updated: 2026-05-12

Who should care

Organizations that ship or operate embedded devices using DENX U-Boot, especially systems that accept network traffic during boot or recovery, should review this immediately. Security teams responsible for firmware supply chains, device OEMs, and operators of remotely managed embedded hardware are the most likely to be affected.

Technical summary

According to NVD, the vulnerability affects U-Boot through version 2019.07 and is classified as CWE-191 (integer underflow). The reported flaw occurs in UDP packet parsing: an integer underflow in net_process_received_packet can result in an unbounded memcpy inside an *udp_packet_handler call. NVD rates the issue CVSS 3.0 9.8/CRITICAL with network attack vector and no privileges or user interaction required.

Defensive priority

Immediate. This is a remotely reachable pre-authentication firmware parsing flaw with critical CVSS severity and high impact ratings in NVD.

Recommended defensive actions

Inventory all devices and firmware builds that use DENX U-Boot and identify any builds at or below version 2019.07.
Prioritize updating to a vendor- or upstream-fixed U-Boot release; if a fixed version is not immediately known, confirm remediation guidance through the U-Boot project and vendor advisory references.
Reduce exposure of boot-time or recovery network services where feasible, especially UDP-based management or boot paths.
Validate whether affected products include the vulnerable packet-handling path in deployed configurations, including network boot scenarios.
Track vendor and upstream advisories for patch status and backport availability before field deployment.

Evidence notes

Source corpus support: NVD lists affected U-Boot versions through 2019.07, CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and CWE-191. The supplied CVE description states the issue is an unbounded memcpy during UDP packet parsing caused by an integer underflow in net_process_received_packet during udp_packet_handler. References in the record point to the U-Boot project repository, a Semmle advisory, and a Siemens product security advisory.

Official resources

CVE-2019-14199 CVE record
CVE.org
CVE-2019-14199 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Publicly disclosed on 2019-07-31. The supplied record was last modified by NVD on 2026-05-12.