Status of CVE-2025-24857 in U-Boot
Simon Glass
sjg at chromium.org
Tue May 12 20:13:17 CEST 2026
+Tom
Hi Paul,
On Tue, 12 May 2026 at 04:39, Paul Barker <paul at pbarker.dev> wrote:
>
> Hi folks,
>
> We recently had a patch sent to Yocto Project to backport a fix for
> CVE-2025-24857 to our Scarthgap branch which uses U-Boot 2024.01.
> Looking at the CVE info, this has confused me a lot. It says [1]:
>
> Improper access control for volatile memory containing boot code in
> Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips
> IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574
> could allow an attacker to execute arbitrary code.
>
> The NVD page says it affects U-Boot "Up to (excluding) 2017.11".
>
> But, the patch that says it addresses CVE-2025-24867 was committed to
> U-Boot in December 2025 [2]. The first release containing this patch was
> v2026.01.
>
> Is this commit actually needed to resolve that CVE? Or is it some other
> change back in 2017 that fixed the issue? (A yes/no is fine, I don't
> need a link to the exact commit)
I believe this was the commit, from December 2016, which landed in 2017.01:
6c1a808052b fs/fat: Avoid corruption of sectors following the FAT
Tom's recent commit in [2] was just a belt-and-braces check on top.
Regards,
Simon
>
> [1]: https://nvd.nist.gov/vuln/detail/CVE-2025-24857
> [2]: https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2
More information about the U-Boot
mailing list