PatchSiren

u-boot CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH u-boot CVE published 2026-07-08

CVE-2026-29009

CVE-2026-29009 is a buffer overflow vulnerability in the U-Boot firmware, specifically in the nfs_readlink_reply() function located in net/nfs-common.c. This vulnerability is exploitable when the CONFIG_CMD_NFS configuration option is enabled. A malicious or compromised NFS server can exploit this vulnerability by returning multiple relative symlink targets that are appended without proper cumulative leng [truncated]

HIGH u-boot CVE published 2026-07-08

CVE-2026-29008

CVE-2026-29008 is an integer underflow vulnerability in the tcp_rx_state_machine() function in U-Boot. The vulnerability allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a manipulated data offset field. This causes payload_len to become negative, which is then implicitly converted to a large unsigned integer and passed to memcpy() in store_block(), [truncated]

MEDIUM u-boot CVE published 2026-07-08

CVE-2026-29007

CVE-2026-29007 is an out-of-bounds read vulnerability in the U-Boot firmware, specifically in the tcp_rx_state_machine() function located in net/tcp.c. This vulnerability is triggered when CONFIG_PROT_TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet with a mismatched IP total length and TCP data offset field.