CVE-2022-30790 Denx CVE debrief

Who should care

Teams that build, ship, or maintain systems using U-Boot 2022.01 should care most, especially embedded-device vendors, firmware engineers, OEM/ODM maintainers, and downstream distributors such as Linux/firmware package maintainers.

Technical summary

NVD lists CVE-2022-30790 as a buffer overflow in Denx U-Boot 2022.01, mapped to CWE-787. The published CVSS vector indicates a local attack context with low attack complexity and low privileges required, and high impacts to confidentiality, integrity, and availability. NVD references third-party advisories and identifies the vulnerable CPE as cpe:2.3:a:denx:u-boot:2022.01:*:*:*:*:*:*:*.

Defensive priority

High for any environment that ships or depends on U-Boot 2022.01. Even with local attack conditions in the CVSS vector, bootloader vulnerabilities can be consequential in device supply chains and firmware maintenance paths.

Recommended defensive actions

• Inventory all products, images, and firmware builds that include U-Boot 2022.01.
• Check vendor and downstream advisories for patched U-Boot releases and upgrade guidance.
• Prioritize remediation in devices that can receive firmware updates and in products exposed to untrusted local access.
• Validate that any affected bootloader builds are replaced or rebuilt from a fixed U-Boot version before shipment.
• Track downstream maintainer notices for packaged firmware or board-support updates related to this CVE.

Evidence notes

This debrief is based on the NVD record for CVE-2022-30790, which published on 2022-06-08 and was modified on 2026-05-12. Evidence includes the NVD CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), CWE-787 classification, vulnerable CPE for Denx U-Boot 2022.01, and NVD-linked references to NCC Group, GitHub tags, Debian LTS, and Siemens CERT. The description supplied by NVD states that this is a different issue than CVE-2022-30552.

Official resources