PatchSiren cyber security CVE debrief

CVE-2022-2347 Denx CVE debrief

CVE-2022-2347 is a pre-boot memory corruption issue in U-Boot’s USB DFU path. According to the supplied record, the DFU implementation does not bound the USB download setup packet length or verify that the transfer direction matches the command, allowing a physical attacker to exceed the heap-allocated request buffer when wLength is greater than 4096 bytes.

Vendor: Denx
Product: CVE-2022-2347
CVSS: HIGH 7.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2022-09-23
Original CVE updated: 2026-05-12
Advisory published: 2022-09-23
Advisory updated: 2026-05-12

Who should care

U-Boot maintainers, embedded device vendors, OEM firmware teams, and security teams responsible for products that expose USB DFU or other pre-boot recovery interfaces where physical access is realistic.

Technical summary

The issue is an unchecked length field in U-Boot DFU download setup handling. The supplied NVD record says the vulnerable range covers denx:u-boot versions from 2012.10 through 2022.07 and maps the flaw to CWE-787 as primary, with CWE-122 also noted in the coordination reference. The CVSS vector is AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, reflecting that exploitation requires local/physical access and interaction, but can still have high impact on confidentiality, integrity, and availability.

Defensive priority

High. This is a memory corruption flaw in bootloader code exposed through USB DFU, so affected products should treat it as a firmware-security priority whenever physical access or service-mode access is plausible.

Recommended defensive actions

Upgrade to a U-Boot release newer than 2022.07, or apply the vendor backport/fix if you maintain a downstream fork.
Disable USB DFU on products that do not require it, especially in deployed devices with exposed physical ports.
Restrict physical access to devices that keep DFU enabled, including service benches, kiosks, and field-deployed systems.
Review downstream code for similar unchecked USB request lengths and ensure the transfer direction is validated against the command.
Add regression tests for DFU request parsing, including length bounds and direction checks.

Evidence notes

The supplied NVD record states that U-Boot DFU does not bound the USB DFU download setup packet length and does not verify transfer direction, and that a physical attacker can overrun the heap-allocated request buffer when wLength exceeds 4096 bytes. NVD lists the vulnerable CPE range as denx:u-boot from 2012.10 through 2022.07 and assigns CVSS 3.1 vector AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The record includes references to oss-sec, Debian LTS, and Siemens ProductCERT; the full text of those references is not included in the supplied corpus.

Official resources

CVE-2022-2347 CVE record
CVE.org
CVE-2022-2347 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Source reference
af854a3a-2127-422b-91ae-364da2661108
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Published 2022-09-23T13:15:10.133Z and modified 2026-05-12T10:16:37.550Z in the supplied record. No KEV listing is provided in the corpus.