PT-2026-56474 · U-Boot · U-Boot

Vulncheck

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-29007

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp rx state machine() (net/tcp.c) when CONFIG PROT TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet with a mismatched IP total length and TCP data offset field. Attackers can send a packet with an IP total length of 40 bytes and a TCP data offset claiming 60 bytes of header to cause tcp parse options() to read 40 bytes past the end of the TCP segment, potentially corrupting connection state variables such as rmt win scale and rmt timestamp to disrupt TCP window calculations.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-29007

Affected Products

U-Boot