Request for Clarification Regarding CVE-2025-45512 Affecting U-Boot v1.1.3
Tom Rini
trini at konsulko.com
Wed Aug 6 21:21:03 CEST 2025
On Wed, Aug 06, 2025 at 07:35:40AM +0700, rama wrote:
> Dear DENX Team,
>
> I hope this message finds you well.
>
> I am writing to seek clarification regarding a recent CVE entry —
> **CVE-2025-45512** — which claims a security issue in U-Boot version
> v1.1.3, stating that it allows loading and executing arbitrary firmware
> images without verifying cryptographic signatures.
>
> As far as I understand, U-Boot (especially older versions like v1.1.3) does
> not perform any image signature verification by design unless specifically
> configured to do so with FIT signatures or integrated into a secure boot
> chain.
>
> Given this, I would like to ask:
>
> 1. Is CVE-2025-45512 (https://www.cve.org/CVERecord?id=CVE-2025-45512) an
> officially acknowledged vulnerability by DENX or the U-Boot project?
No, it is not known or acknowledged and as far as I know was never
reported.
> 2. Do you consider the described behavior to be a vulnerability, or rather
> a default characteristic of early U-Boot versions?
> 3. Has this issue been addressed or mitigated in later U-Boot versions
> (e.g., with FIT signature and RSA verification support)?
> 4. Are there any recommended mitigations for users still using legacy
> versions like v1.1.3?
>
> Understanding your stance would greatly help clarify the scope and risk
> associated with this CVE.
>
> Thank you for your time and for your continued work on U-Boot.
U-Boot v1.1.3 was released in 2005. I feel like that in and of itself
should be enough of a "Don't do that for production".
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250806/c67c5f2e/attachment.sig>
More information about the U-Boot
mailing list