These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2022-2347 is a pre-boot memory corruption issue in U-Boot’s USB DFU path. According to the supplied record, the DFU implementation does not bound the USB download setup packet length or verify that the transfer direction matches the command, allowing a physical attacker to exceed the heap-allocated request buffer when wLength is greater than 4096 bytes.
CVE-2022-34835 is a critical memory-corruption issue in Das U-Boot’s "i2c md" command. An integer signedness error can trigger a stack-based buffer overflow and corrupt the return address pointer in do_i2c_md, making affected firmware builds high risk wherever the command path is reachable.
CVE-2022-30790 is a high-severity buffer overflow affecting Denx U-Boot 2022.01. NVD classifies the issue as CWE-787 and rates it 7.8 (CVSS 3.1: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The NVD record also notes that this is a different issue than CVE-2022-30552. Because U-Boot is a bootloader used in embedded and firmware environments, affected systems should be identified and updated using vendor and downs [truncated]
CVE-2022-30552 is a buffer overflow in Denx U-Boot 2022.01. NVD scores it 5.5/Medium and classifies the issue as locally exploitable with low privileges and no user interaction, with a primary impact on availability. For embedded and firmware teams, the main concern is denial of service or boot disruption in devices that ship or embed the affected U-Boot release.
CVE-2020-10648 describes a verified-boot bypass in U-Boot through 2020.01. A crafted FIT image can defeat the intended boot restrictions when a system is configured to use the default configuration, enabling an attacker to boot arbitrary images. The NVD record classifies the issue as high severity and ties it to integrity impacts on the boot trust chain.
CVE-2019-13106 is a high-severity flaw in U-Boot’s ext4 filesystem handling. A crafted ext4 image can cause memset() to write too much data during parsing, leading to a stack buffer overflow. Because U-Boot runs early in the boot chain, successful exploitation can have serious integrity and availability impact, and the NVD record rates confidentiality, integrity, and availability as high.
CVE-2019-13104 is a high-severity memory corruption issue in Das U-Boot's ext4 filesystem handling. According to the CVE description, an underflow can cause memcpy() to overwrite a very large amount of data, including the whole stack, when reading a crafted ext4 filesystem. NVD rates the issue 7.8 HIGH with local access and user interaction required, so the main risk is to devices that parse untrusted sto [truncated]
CVE-2019-14204 is a critical memory-corruption issue in Das U-Boot through 2019.07. The NVD description identifies a stack-based buffer overflow in the NFS reply helper function nfs_umountall_reply. The published CVSS 3.0 vector indicates a network-reachable issue with no privileges or user interaction required, and potential high impact to confidentiality, integrity, and availability.
CVE-2019-14203 is a critical stack-based buffer overflow in Das U-Boot's nfs_handler reply helper function nfs_mount_reply. The issue is described as affecting U-Boot through 2019.07 and is rated CVSS 9.8, reflecting high impact with network access, no privileges, and no user interaction required.
CVE-2019-14202 is a critical memory-safety flaw in Das U-Boot through 2019.07. NVD describes it as a stack-based buffer overflow in the nfs_handler reply helper function nfs_readlink_reply. The CVSS 3.0 vector indicates a network-reachable issue with no privileges or user interaction required and high confidentiality, integrity, and availability impact, so affected firmware should be treated as urgent to [truncated]
CVE-2019-14201 is a critical memory-corruption flaw in Das U-Boot. According to the NVD record, the issue is a stack-based buffer overflow in the NFS reply helper function nfs_lookup_reply, with affected versions through 2019.07. NVD rates the issue 9.8 (CVSS 3.0: network reachable, no privileges, no user interaction, and high impact to confidentiality, integrity, and availability).
CVE-2019-14200 is a critical stack-based buffer overflow in Das U-Boot's NFS reply helper rpc_lookup_reply, affecting versions through 2019.07. Because the vulnerable path is network reachable and requires no authentication or user interaction, affected bootloader deployments should treat it as urgent.
CVE-2019-14199 is a critical memory-corruption issue in DENX U-Boot’s UDP packet handling. NVD describes an integer underflow in net_process_received_packet during udp_packet_handler processing that can lead to an unbounded memcpy when parsing a UDP packet.
CVE-2019-14198 is a critical memory-corruption issue in Das U-Boot affecting versions through 2019.07. NVD describes an unbounded memcpy with a failed length check in nfs_read_reply when store_block is called in the NFSv3 case. Because the vulnerable path is network-facing and requires no privileges or user interaction, systems that boot over NFS or otherwise expose U-Boot network boot functionality shoul [truncated]
CVE-2019-14197 is a high-severity memory-safety issue in Das U-Boot through 2019.07. NVD describes it as an out-of-bounds read in nfs_read_reply, with a CVSS 3.0 score of 9.1 (network-reachable, no privileges or user interaction, high confidentiality impact, and high availability impact). For organizations that use U-Boot in embedded devices—especially where NFS-based boot paths are enabled—this should be [truncated]
CVE-2019-14196 is a critical memory corruption vulnerability in Das U-Boot affecting versions through 2019.07. The issue is described as an unbounded memcpy after a failed length check in nfs_lookup_reply, which maps to CWE-787 (out-of-bounds write). Because the CVSS vector is network-exploitable with no privileges or user interaction and with high confidentiality, integrity, and availability impact, this [truncated]
CVE-2019-14195 is a critical memory corruption issue in Das U-Boot affecting versions through 2019.07. The flaw is in NFS readlink handling, where an unbounded memcpy uses an unvalidated length in nfs_readlink_reply after the new path length is computed. Because the issue is reachable in networking code and scored 9.8, it should be treated as urgent for any environment that boots or interacts with U-Boot over NFS.
CVE-2019-14194 describes a critical flaw in U-Boot through 2019.07 affecting the NFSv2 reply path. In the vulnerable flow, nfs_read_reply can call store_block after a failed length check, resulting in an unbounded memcpy. Because the issue is network-reachable and rated CVSS 9.8, it should be treated as an urgent bootloader hardening and patching priority for any device that uses U-Boot network boot or NF [truncated]
CVE-2019-14193 is a critical memory-corruption vulnerability in Das U-Boot through 2019.07. NVD describes an unbounded memcpy with an unvalidated length in nfs_readlink_reply after calculating a new path length, and rates the issue 9.8 (CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2019-14192 is a critical memory-corruption flaw in Das U-Boot’s network packet handling. According to the NVD record, a UDP packet parsed through nc_input_packet can drive an integer underflow in net_process_received_packet, leading to an unbounded memcpy. The CVSS 3.0 vector is network-reachable, requires no privileges or user interaction, and is scored 9.8. Systems using affected U-Boot releases thr [truncated]
CVE-2019-13103 is a high-severity bootloader flaw in Denx U-Boot. According to the supplied NVD record, a crafted self-referential DOS partition table can trigger infinite recursion in the parser, causing the stack to grow until the system crashes or overwrites other data. NVD lists affected U-Boot versions through 2019.07-rc4, and the weakness is categorized as CWE-674 (Uncontrolled Recursion).