PatchSiren cyber security CVE debrief

CVE-2022-34835 Denx CVE debrief

CVE-2022-34835 is a critical memory-corruption issue in Das U-Boot’s "i2c md" command. An integer signedness error can trigger a stack-based buffer overflow and corrupt the return address pointer in do_i2c_md, making affected firmware builds high risk wherever the command path is reachable.

Vendor: Denx
Product: CVE-2022-34835
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2022-06-30
Original CVE updated: 2026-05-12
Advisory published: 2022-06-30
Advisory updated: 2026-05-12

Who should care

Embedded device vendors, board integrators, firmware maintainers, and operators of products that ship U-Boot or expose U-Boot console/management access should prioritize this CVE.

Technical summary

NVD classifies the flaw as CWE-787 (out-of-bounds write) and gives it CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerable scope in the record covers U-Boot builds before 2022.07 and release candidates 2022.07-rc1 through 2022.07-rc5. The publicly referenced remediation is upstream commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 in the U-Boot project, which is also cited in the Denx mailing list advisory.

Defensive priority

Immediate. Treat this as a critical bootloader memory-corruption issue and move affected U-Boot deployments to a build that includes the upstream fix as soon as practical.

Recommended defensive actions

Inventory all products and firmware images that include U-Boot, especially builds at or before 2022.07-rc5.
Confirm whether the affected "i2c md" command path is exposed in your deployment or can be reached through maintenance, factory, or recovery interfaces.
Apply the upstream U-Boot fix referenced by commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 and rebuild affected firmware.
Update downstream vendor packages and images that track U-Boot so they incorporate the patched source tree.
If immediate patching is not possible, restrict access to bootloader consoles and management interfaces until the fixed build is deployed.
Track downstream advisories and packaging notices, such as the Debian LTS and Siemens references in the record, for distribution-specific guidance.

Evidence notes

This debrief is based on the supplied NVD record and its linked references. The NVD description states that an integer signedness error in U-Boot’s "i2c md" command can cause a stack-based buffer overflow and corrupt the return address pointer of do_i2c_md. The NVD metadata also provides the CWE-787 classification, the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and the affected CPE scope covering pre-2022.07 releases and 2022.07-rc1 through rc5. Remediation references in the corpus point to upstream U-Boot commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 and the Denx mailing-list advisory.

Official resources

CVE-2022-34835 CVE record
CVE.org
CVE-2022-34835 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
af854a3a-2127-422b-91ae-364da2661108
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

CVE published 2022-06-30T00:15:08.023Z; the supplied NVD record was modified on 2026-05-12T10:16:38.073Z.