Coordinated Vulnerability Disclosure - U-Boot Multiple Vulnerabilities (3)
Daniel Golle
daniel at makrotopia.org
Fri May 8 19:47:30 CEST 2026
On Fri, May 08, 2026 at 01:20:44PM -0400, Wade Sparks wrote:
> Hello U-Boot mailing list,
>
> [...]
> We have provisionally allocated the following CVE IDs, which have been
> shared with the researcher but will remain private until public disclosure:
>
> - *CVE-2026-29007* - Out-of-Bounds Read in TCP Options Parser
> - *CVE-2026-29008* - Integer Underflow in TCP Payload Length
> - *CVE-2026-29009* - Buffer Overflow via NFS Symlink Chain
>
> Please be aware that none of this information is public at this moment and
> all parties involved are considered under embargo. The researcher has
> provided us with a comprehensive technical report including reproduction
> steps. Once an appropriate point of contact is identified, we'd be happy to
> share those materials with your team.
Well, you've just posed it to a public mailing list, which even
includes a search-engine indexed public archive. The mere description
of the CVEs above already tells a lot (I'm sure any decent LLM can
identify the vuln just based on the CVE title given the sourcecode
repo), and should not have been made public before the fixes have
landed, and users have been given time to pick them up.
So I suppose you have to act fast now. Tom, Simon and Marek are the
primary contact points (I'm just an external contributor, do NOT share
any details with me).
More information about the U-Boot
mailing list