Fwd: SySS Responsible Disclosure Policy - U-Boot vulnerabilities

Thu Jun 11 08:33:49 CEST 2026

Hi Tom,

I've just seen that my mail regarding some vulnerabilities I identified 
within u-boot was rejected from your mail provider.

Therefore I just forwarded you the mail (without the advisories 
attached). The identified vulnerabilities are:

- SYSS-2026-038: Arbitrary OOB Heap Write (NAND)
- SYSS-2026-039: Arbitrary OOB Heap Write / Integer Underflow (RSA 
Public Key Parsing)
- SYSS-2026-040: Arbitrary OOB Heap Write (Ext4)
- SYSS-2026-041: Arbitrary OOB Heap Read (Ext4)

If you would like to have further information (or the attached 
advisories files, including reproducer scripts), let me know.

Kind regards,
Robin

-------- Forwarded Message --------
Subject: SySS Responsible Disclosure Policy
Date: Wed, 10 Jun 2026 15:46:26 +0200
From: Robin Trost <Robin.Trost at syss.de>
To: u-boot at lists.denx.de <u-boot at lists.denx.de>
CC: trini at konsulko.com <trini at konsulko.com>, p_mailqueue_disclosure 
<disclosure at syss.de>

Hi all,

The SySS GmbH deals with security issues in a responsible way. In the 
form of a security advisory we report security vulnerabilities which are 
not in products of our customers and which are not excluded from public 
disclosure due to contractual agreements with vendors.

The attached security advisories contain detailed information about the 
found vulnerabilities that allows the vendor to reproduce and further 
investigate the reported security issue. Vulnerabilities will be 
disclosed to the public if a solution was published by the vendor or 45 
days after the initial report by the SySS GmbH, regardless of the 
vulnerability status, for example if there is a patch or workaround from 
the affected vendor. In well-founded exceptional cases, this standard 
procedure may not be followed and an alternative, adjusted publication 
schedule will be negotiated with the vendor.

The goal of our Responsible Disclosure Policy is, to weigh up the need 
of the public to know of security vulnerabilities against the vendor’s 
time to remedy all security issues effectively. The final publication 
schedule will be based on the best interests of the community overall, 
considering both positions. Before the responsible disclosure of a 
security vulnerability, the SySS GmbH allows vendors the opportunity to 
analyze reported security issues, to develop effective countermeasures, 
and to test them thoroughly.

If there are any further questions regarding the identified 
vulnerabilities do not hesitate to contact me.

Kind regards,
-- 
Robin Trost
Senior IT-Security Consultant
______________________________________________________________

SySS GmbH
Schaffhausenstraße 77, 72072 Tübingen, Germany
Tel: +49 (0)7071 - 40 78 56-6169
Mobil: +49 (0)151 - 42209330
E-Mail: Robin.Trost at syss.de
Conf. Calls: https://syss.zoom.us/my/robin.trost
Web: https://syss.de

PGP-Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3

Geschäftsführer: Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x61DEF14F698E6EB3.asc
Type: application/pgp-keys
Size: 11788 bytes
Desc: OpenPGP public key
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260611/146dfb71/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260611/146dfb71/attachment-0001.sig>