PT-2026-56475 · U-Boot · U-Boot

Vulncheck

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-29008

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions U-Boot versions prior to 2026.04-rc3
Description An integer underflow exists in the tcp rx state machine() function within net/tcp.c. A network-adjacent attacker can trigger this by sending a malformed TCP SYN+ACK packet with a manipulated data offset field, causing the payload len variable to become negative. When the TCP SYN SENT handler calls tcp rx user data() without performing tcp seg in wnd() validation, this negative value is converted to a large unsigned integer and passed to memcpy() in the store block() function. This results in an immediate crash that prevents the device from booting and may lead to memory corruption if CONFIG LMB is disabled.
Recommendations Update U-Boot to version 2026.04-rc3 or later.

Fix

Integer Underflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-29008

Affected Products

U-Boot