Security Disclosure: Multiple buffer overflow vulnerabilities in NFS client
Lee, Sin Liang
slee3846 at gatech.edu
Fri Feb 27 22:28:44 CET 2026
Thank you for the quick response. We will follow the submission guidelines for our fixes and attribution.
In the meantime, would you be able to confirm the reported vulnerabilities on your side? That would help us make sure we are aligned on impact and scope as we finalize the fixes.
Regards,
Sin Liang
________________________________
From: Tom Rini
Sent: Friday, February 27, 2026 1:42 PM
To: Lee, Sin Liang
Cc: u-boot at lists.denx.de; Kim, Taesoo; Zhang, Cen; anshuld at ti.com; bb at ti.com
Subject: Re: Security Disclosure: Multiple buffer overflow vulnerabilities in NFS client
On Fri, Feb 27, 2026 at 06:25:14PM +0000, Lee, Sin Liang wrote:
> Dear U-Boot Maintainers,
>
> I'm Sin Liang Lee, a member of Team Atlanta<https://team-atlanta.github.io/> from Georgia Institute of Technology, winners of DARPA's AI Cyber Challenge (AIxCC)<https://aicyberchallenge.com/>. We're reaching out to submit a vulnerability report that we identified using our system, ATLANTIS, in your project. This effort is part of DARPA's initiative to apply competition technologies to real-world open source projects.
>
> We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic vulnerability detection and repair. Using a combination of targeted fuzzing (via OSS-Fuzz infrastructure) and AI-assisted static analysis, we identified four buffer overflow vulnerabilities in the U-Boot NFS client reply parsers (net/nfs-common.c). These affect the current upstream codebase and include a signedness bypass of the mitigation introduced for CVE-2019-14193.
Ah, so that explains the squashfs report last week. I am glad to see
that part of the challenge now is fixing and not just reporting the
issues. Please see
https://docs.u-boot.org/en/latest/develop/sending_patches.html for how
to correctly submit patches to the project. And while we do not
currently have formal guidelines around AI-assisted contributions,
please see:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst
for how the Linux Kernel expects things to be attributed and note that
we also are requesting that the commit message be human and not
AI-written/assisted. Thanks!
--
Tom
More information about the U-Boot
mailing list