Security Disclosure: Multiple buffer overflow vulnerabilities in NFS client
Jerome Forissier
jerome.forissier at arm.com
Tue Mar 3 18:09:24 CET 2026
Hi Tom/Sin Liang,
On 27/02/2026 23:07, Tom Rini wrote:
> On Fri, Feb 27, 2026 at 09:28:44PM +0000, Lee, Sin Liang wrote:
>
>> Thank you for the quick response. We will follow the submission guidelines for our fixes and attribution.
>> In the meantime, would you be able to confirm the reported vulnerabilities on your side? That would help us make sure we are aligned on impact and scope as we finalize the fixes.
>
> I'm adding our networking custodian to the thread, for when he has time
> to take a look.
>
>> Regards,
>> Sin Liang
I have reviewed the submissions and believe the reported vulnerabilities are valid.
However, I would question the C:H rating in all reports except UBOOT_NFS_OOB_READ. It is not clear to me how data could be disclosed in those cases, so a C:N rating may be more appropriate.
I also have a few minor comments on the proposed patches, which can be addressed once the patches are submitted to the mailing list.
Thanks,
--
Jerome
More information about the U-Boot
mailing list