PatchSiren cyber security CVE debrief
CVE-2019-14201 Siemens CVE debrief
CVE-2019-14201 is a critical memory-corruption flaw in Das U-Boot. According to the NVD record, the issue is a stack-based buffer overflow in the NFS reply helper function nfs_lookup_reply, with affected versions through 2019.07. NVD rates the issue 9.8 (CVSS 3.0: network reachable, no privileges, no user interaction, and high impact to confidentiality, integrity, and availability).
- Vendor
- Siemens
- Product
- RUGGEDCOM ROX MX5000
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Teams that build, ship, maintain, or operate systems using U-Boot through 2019.07 should treat this as urgent, especially where network-based boot or NFS-related paths may be reachable during device startup.
Technical summary
The NVD entry identifies a stack-based buffer overflow in nfs_lookup_reply, described as part of the nfs_handler reply helper path in U-Boot. The vulnerability is mapped to CWE-787 and is scored CVSS 3.0 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable flaw with no authentication or user interaction required and severe impact if triggered. The affected CPE range in the record extends through U-Boot 2019.07.
Defensive priority
Immediate
Recommended defensive actions
- Inventory all devices, firmware images, and build outputs that include U-Boot and confirm whether any are at or below version 2019.07.
- Prioritize upgrading or replacing affected U-Boot builds with a version that contains the vendor or upstream fix.
- Review the linked upstream project reference and third-party advisories for patch status and any remediation guidance.
- Assess whether network-boot or NFS-related boot flows are enabled or reachable in your environment and reduce exposure where possible.
- If immediate upgrading is not possible, apply vendor-approved mitigations or compensating controls from the referenced advisories.
- Validate firmware supply-chain components so patched builds are actually deployed to fielded devices, not just present in source repositories.
Evidence notes
This debrief is based on the supplied NVD/CVE corpus and the linked official or cited references in the record. The core facts used here are: published date 2019-07-31, modified date 2026-05-12, affected U-Boot versions through 2019.07, vulnerability type stack-based buffer overflow, CWE-787, and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The recommendations intentionally stay at a defensive level and do not assume unpublished patch details.
Official resources
-
CVE-2019-14201 CVE record
CVE.org
-
CVE-2019-14201 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public disclosure date is 2019-07-31, matching the CVE/NVD published timestamp supplied in the corpus. The later 2026-05-12 modified timestamp reflects record maintenance, not the original issue date.