Security report: U-Boot composite OS descriptor wLength buffer overflow
Kim, Youngjoon
ykim3186 at gatech.edu
Sun Jul 12 06:40:00 CEST 2026
Hello,
My name is Youngjoon Kim, and I am a PostDoc Security Researcher in SSLab at Georgia Tech. I'd like to report a potential security bug in U-Boot regarding a heap buffer overflow that a malicious USB host can trigger in the composite gadget Microsoft OS descriptor handler.
Target:
Project: u-boot
Repo: https://github.com/u-boot/u-boot
Pinned ref: 922cf29dd8045f7348ce0f20145f46e8235faf21
Threat Model:
A malicious USB host connected to a device running U-Boot composite gadget mode, with Microsoft OS descriptors enabled and configured, can send a vendor control request whose `wLength` exceeds the fixed 4096-byte EP0 response buffer. The handler uses that host-controlled length to clear the response buffer before applying a capacity limit, causing a heap buffer overflow. The supplied PoC demonstrates the overflow with AddressSanitizer; the supported impact is availability loss through bootloader crash or destabilization, not code execution or data disclosure.
Attached:
When reporting by email, for better readability of the email, we share the full writeup and PoC files via zip file attachment. If you don't want to download an arbitrary zip file and use it, please let us know. The zip file contains:
README.md : full writeup.
poc : the relevant files and scripts for reproducing the PoC
I would like to get help from your expertise to clarify whether this is a valid security threat or not. Thank you.
Best Regards,
Youngjoon Kim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: INT-usb-uboot-osdesc-wlength-oob.zip
Type: application/x-zip-compressed
Size: 43319 bytes
Desc: INT-usb-uboot-osdesc-wlength-oob.zip
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260712/77567405/attachment.bin>
More information about the U-Boot
mailing list