CVE-2019-14202 Denx CVE debrief

Who should care

Embedded device vendors, firmware maintainers, OEMs, integrators, and operators of systems that ship or depend on affected U-Boot builds through 2019.07 should prioritize this. It is especially important wherever NFS-related U-Boot functionality is present in deployed images or boot paths.

Technical summary

The NVD record maps this issue to CWE-787 and lists affected denx:u-boot versions through and including 2019.07. The vulnerable code path is described as a stack-based buffer overflow in the nfs_readlink_reply helper used by the NFS handler reply logic. The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which reflects an easily reachable network attack surface with severe impact potential.

Defensive priority

Immediate. Treat as a high-priority firmware remediation item for any product or image that includes an affected U-Boot version.

Recommended defensive actions

• Inventory all products, images, and build pipelines that include U-Boot and confirm whether any deployment is at or below 2019.07.
• Upgrade to a vendor-fixed or upstream-patched U-Boot release newer than the affected range.
• If immediate upgrading is not possible, reduce exposure of any reachable NFS-related U-Boot functionality and isolate affected devices on trusted networks.
• Validate downstream firmware builds and vendor forks, since embedded products may carry backported or customized U-Boot code.
• Track the linked NVD and vendor advisories for remediation guidance and downstream patch availability.

Evidence notes

The debrief is based on the supplied official CVE/NVD metadata: publication date 2019-07-31, last modified date 2026-05-12, CVSS 9.8, weakness CWE-787, and the affected CPE range ending in U-Boot 2019.07. The record also lists third-party and vendor references including a Semmle advisory, the U-Boot GitLab repository, and a Siemens CERT advisory.

Official resources