PT-2026-56474 · U-Boot · U-Boot
Vulncheck
·
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-29007
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp rx state machine() (net/tcp.c) when CONFIG PROT TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet with a mismatched IP total length and TCP data offset field. Attackers can send a packet with an IP total length of 40 bytes and a TCP data offset claiming 60 bytes of header to cause tcp parse options() to read 40 bytes past the end of the TCP segment, potentially corrupting connection state variables such as rmt win scale and rmt timestamp to disrupt TCP window calculations.
Fix
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
U-Boot