PatchSiren cyber security CVE debrief

CVE-2019-14201 Denx CVE debrief

CVE-2019-14201 is a critical memory-corruption flaw in Das U-Boot. According to the NVD record, the issue is a stack-based buffer overflow in the NFS reply helper function nfs_lookup_reply, with affected versions through 2019.07. NVD rates the issue 9.8 (CVSS 3.0: network reachable, no privileges, no user interaction, and high impact to confidentiality, integrity, and availability).

Vendor: Denx
Product: CVE-2019-14201
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2019-07-31
Original CVE updated: 2026-05-12
Advisory published: 2019-07-31
Advisory updated: 2026-05-12

Who should care

Teams that build, ship, maintain, or operate systems using U-Boot through 2019.07 should treat this as urgent, especially where network-based boot or NFS-related paths may be reachable during device startup.

Technical summary

The NVD entry identifies a stack-based buffer overflow in nfs_lookup_reply, described as part of the nfs_handler reply helper path in U-Boot. The vulnerability is mapped to CWE-787 and is scored CVSS 3.0 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable flaw with no authentication or user interaction required and severe impact if triggered. The affected CPE range in the record extends through U-Boot 2019.07.

Defensive priority

Immediate

Recommended defensive actions

Inventory all devices, firmware images, and build outputs that include U-Boot and confirm whether any are at or below version 2019.07.
Prioritize upgrading or replacing affected U-Boot builds with a version that contains the vendor or upstream fix.
Review the linked upstream project reference and third-party advisories for patch status and any remediation guidance.
Assess whether network-boot or NFS-related boot flows are enabled or reachable in your environment and reduce exposure where possible.
If immediate upgrading is not possible, apply vendor-approved mitigations or compensating controls from the referenced advisories.
Validate firmware supply-chain components so patched builds are actually deployed to fielded devices, not just present in source repositories.

Evidence notes

This debrief is based on the supplied NVD/CVE corpus and the linked official or cited references in the record. The core facts used here are: published date 2019-07-31, modified date 2026-05-12, affected U-Boot versions through 2019.07, vulnerability type stack-based buffer overflow, CWE-787, and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The recommendations intentionally stay at a defensive level and do not assume unpublished patch details.

Official resources

CVE-2019-14201 CVE record
CVE.org
CVE-2019-14201 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Public disclosure date is 2019-07-31, matching the CVE/NVD published timestamp supplied in the corpus. The later 2026-05-12 modified timestamp reflects record maintenance, not the original issue date.