PT-2026-56476 · U-Boot · U-Boot

Vulncheck

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-29009

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Name of the Vulnerable Software and Affected Versions U-Boot versions prior to 2026.04-rc4
Description A buffer overflow occurs in the nfs readlink reply() function within net/nfs-common.c when CONFIG CMD NFS is enabled. A malicious or compromised NFS server can overflow the 2048-byte nfs path buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. By sending two or more READLINK responses with relative symlink targets of approximately 1100 bytes each, an attacker can corrupt adjacent BSS variables, including nfs server ip, nfs server mount port, nfs server port, nfs our port, nfs state, and rpc id. This can lead to memory corruption and allow control over the NFS client state machine.
Recommendations Update to a version later than 2026.04-rc3. As a temporary mitigation, disable the CONFIG CMD NFS configuration option.

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-29009

Affected Products

U-Boot