Request for Clarification Regarding CVE-2025-45512 Affecting U-Boot v1.1.3
rama
ramatrinanda at gmail.com
Wed Aug 6 02:35:40 CEST 2025
Dear DENX Team,
I hope this message finds you well.
I am writing to seek clarification regarding a recent CVE entry —
**CVE-2025-45512** — which claims a security issue in U-Boot version
v1.1.3, stating that it allows loading and executing arbitrary firmware
images without verifying cryptographic signatures.
As far as I understand, U-Boot (especially older versions like v1.1.3) does
not perform any image signature verification by design unless specifically
configured to do so with FIT signatures or integrated into a secure boot
chain.
Given this, I would like to ask:
1. Is CVE-2025-45512 (https://www.cve.org/CVERecord?id=CVE-2025-45512) an
officially acknowledged vulnerability by DENX or the U-Boot project?
2. Do you consider the described behavior to be a vulnerability, or rather
a default characteristic of early U-Boot versions?
3. Has this issue been addressed or mitigated in later U-Boot versions
(e.g., with FIT signature and RSA verification support)?
4. Are there any recommended mitigations for users still using legacy
versions like v1.1.3?
Understanding your stance would greatly help clarify the scope and risk
associated with this CVE.
Thank you for your time and for your continued work on U-Boot.
Best regards,
rama tri nanda
More information about the U-Boot
mailing list