PT-2026-56475 · U-Boot · U-Boot
Vulncheck
·
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-29008
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
U-Boot versions prior to 2026.04-rc3
Description
An integer underflow exists in the
tcp rx state machine() function within net/tcp.c. A network-adjacent attacker can trigger this by sending a malformed TCP SYN+ACK packet with a manipulated data offset field, causing the payload len variable to become negative. When the TCP SYN SENT handler calls tcp rx user data() without performing tcp seg in wnd() validation, this negative value is converted to a large unsigned integer and passed to memcpy() in the store block() function. This results in an immediate crash that prevents the device from booting and may lead to memory corruption if CONFIG LMB is disabled.Recommendations
Update U-Boot to version 2026.04-rc3 or later.
Fix
Integer Underflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
U-Boot