Coordinated Vulnerability Disclosure - U-Boot Multiple Vulnerabilities (3)
Tom Rini
trini at konsulko.com
Fri May 8 19:51:17 CEST 2026
On Fri, May 08, 2026 at 06:47:30PM +0100, Daniel Golle wrote:
> On Fri, May 08, 2026 at 01:20:44PM -0400, Wade Sparks wrote:
> > Hello U-Boot mailing list,
> >
> > [...]
> > We have provisionally allocated the following CVE IDs, which have been
> > shared with the researcher but will remain private until public disclosure:
> >
> > - *CVE-2026-29007* - Out-of-Bounds Read in TCP Options Parser
> > - *CVE-2026-29008* - Integer Underflow in TCP Payload Length
> > - *CVE-2026-29009* - Buffer Overflow via NFS Symlink Chain
> >
> > Please be aware that none of this information is public at this moment and
> > all parties involved are considered under embargo. The researcher has
> > provided us with a comprehensive technical report including reproduction
> > steps. Once an appropriate point of contact is identified, we'd be happy to
> > share those materials with your team.
>
> Well, you've just posed it to a public mailing list, which even
> includes a search-engine indexed public archive. The mere description
> of the CVEs above already tells a lot (I'm sure any decent LLM can
> identify the vuln just based on the CVE title given the sourcecode
> repo), and should not have been made public before the fixes have
> landed, and users have been given time to pick them up.
>
> So I suppose you have to act fast now. Tom, Simon and Marek are the
> primary contact points (I'm just an external contributor, do NOT share
> any details with me).
Our documented process is to disclose things in public. We don't have
the resources for handling issued behind closed doors. I've always
believed bad actors are going to have found problems first. That was
true years ago, and is even more true now in this day and age where
malicious actors can just throw code at LLMs and see what breaks.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260508/87586b3e/attachment-0001.sig>
More information about the U-Boot
mailing list