Security Disclosure: Multiple buffer overflow vulnerabilities in NFS client

[Tom Rini]

On Fri, Feb 27, 2026 at 06:25:14PM +0000, Lee, Sin Liang wrote:

> Dear U-Boot Maintainers,
> 
> I'm Sin Liang Lee, a member of Team Atlanta<https://team-atlanta.github.io/> from Georgia Institute of Technology, winners of DARPA's AI Cyber Challenge (AIxCC)<https://aicyberchallenge.com/>. We're reaching out to submit a vulnerability report that we identified using our system, ATLANTIS, in your project. This effort is part of DARPA's initiative to apply competition technologies to real-world open source projects.
> 
> We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic vulnerability detection and repair. Using a combination of targeted fuzzing (via OSS-Fuzz infrastructure) and AI-assisted static analysis, we identified four buffer overflow vulnerabilities in the U-Boot NFS client reply parsers (net/nfs-common.c). These affect the current upstream codebase and include a signedness bypass of the mitigation introduced for CVE-2019-14193.

Ah, so that explains the squashfs report last week. I am glad to see
that part of the challenge now is fixing and not just reporting the
issues. Please see
https://docs.u-boot.org/en/latest/develop/sending_patches.html for how
to correctly submit patches to the project. And while we do not
currently have formal guidelines around AI-assisted contributions,
please see:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst
for how the Linux Kernel expects things to be attributed and note that
we also are requesting that the commit message be human and not
AI-written/assisted. Thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260227/17d4efd7/attachment.sig>