Security Disclosure: Multiple buffer overflow vulnerabilities in NFS client
Tom Rini
trini at konsulko.com
Fri Feb 27 23:07:30 CET 2026
On Fri, Feb 27, 2026 at 09:28:44PM +0000, Lee, Sin Liang wrote:
> Thank you for the quick response. We will follow the submission guidelines for our fixes and attribution.
> In the meantime, would you be able to confirm the reported vulnerabilities on your side? That would help us make sure we are aligned on impact and scope as we finalize the fixes.
I'm adding our networking custodian to the thread, for when he has time
to take a look.
> Regards,
> Sin Liang
>
>
> ________________________________
> From: Tom Rini
> Sent: Friday, February 27, 2026 1:42 PM
> To: Lee, Sin Liang
> Cc: u-boot at lists.denx.de; Kim, Taesoo; Zhang, Cen; anshuld at ti.com; bb at ti.com
> Subject: Re: Security Disclosure: Multiple buffer overflow vulnerabilities in NFS client
>
> On Fri, Feb 27, 2026 at 06:25:14PM +0000, Lee, Sin Liang wrote:
>
> > Dear U-Boot Maintainers,
> >
> > I'm Sin Liang Lee, a member of Team Atlanta<https://team-atlanta.github.io/> from Georgia Institute of Technology, winners of DARPA's AI Cyber Challenge (AIxCC)<https://aicyberchallenge.com/>. We're reaching out to submit a vulnerability report that we identified using our system, ATLANTIS, in your project. This effort is part of DARPA's initiative to apply competition technologies to real-world open source projects.
> >
> > We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic vulnerability detection and repair. Using a combination of targeted fuzzing (via OSS-Fuzz infrastructure) and AI-assisted static analysis, we identified four buffer overflow vulnerabilities in the U-Boot NFS client reply parsers (net/nfs-common.c). These affect the current upstream codebase and include a signedness bypass of the mitigation introduced for CVE-2019-14193.
>
> Ah, so that explains the squashfs report last week. I am glad to see
> that part of the challenge now is fixing and not just reporting the
> issues. Please see
> https://docs.u-boot.org/en/latest/develop/sending_patches.html for how
> to correctly submit patches to the project. And while we do not
> currently have formal guidelines around AI-assisted contributions,
> please see:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst
> for how the Linux Kernel expects things to be attributed and note that
> we also are requesting that the commit message be human and not
> AI-written/assisted. Thanks!
>
> --
> Tom
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260227/c6cfbe84/attachment.sig>
More information about the U-Boot
mailing list