Coordinated Vulnerability Disclosure - U-Boot Multiple Vulnerabilities (3)

[Wade Sparks]

Hello U-Boot mailing list,

I’m a vulnerability analyst at VulnCheck <https://www.vulncheck.com>, an
exploit intelligence company and research CVE Numbering Authority (CNA),
where I'm one of several folks who manage our coordinated vulnerability
disclosure (CVD) program.

An external security researcher recently reported several vulnerabilities
<https://www.vulncheck.com/advisories/report> impacting the U-Boot
codebase (discovered against release v2026.04-rc3), and VulnCheck is acting
as the intermediary and coordinator.

VulnCheck follows a 120-day disclosure policy
<https://www.vulncheck.com/vulnerability-disclosure-policy>, meaning we
afford vendors/maintainers up to 120 days from the time of receiving the
report to address the issues before publication of CVE records and
third-party advisories. For these vulnerabilities, that 120-day deadline
falls on *September 5, 2026*.

We have provisionally allocated the following CVE IDs, which have been
shared with the researcher but will remain private until public disclosure:

   - *CVE-2026-29007* - Out-of-Bounds Read in TCP Options Parser
   - *CVE-2026-29008* - Integer Underflow in TCP Payload Length
   - *CVE-2026-29009* - Buffer Overflow via NFS Symlink Chain

Please be aware that none of this information is public at this moment and
all parties involved are considered under embargo. The researcher has
provided us with a comprehensive technical report including reproduction
steps. Once an appropriate point of contact is identified, we'd be happy to
share those materials with your team.

If interested in VulnCheck's previous disclosures, you may find those here
<https://www.vulncheck.com/advisories>.

Let us know if you have any questions for us about the CVD process or for
the researcher regarding the reported vulnerabilities.

Respectfully,

<https://www.vulncheck.com/>

Wade Sparks III
VulnCheck
Senior Vulnerability Analyst