Status of CVE-2025-24857 in U-Boot
Paul Barker
paul at pbarker.dev
Mon May 18 12:10:47 CEST 2026
On Tue, 2026-05-12 at 12:36 -0600, Tom Rini wrote:
> On Tue, May 12, 2026 at 11:39:32AM +0100, Paul Barker wrote:
> > Hi folks,
> >
> > We recently had a patch sent to Yocto Project to backport a fix for
> > CVE-2025-24857 to our Scarthgap branch which uses U-Boot 2024.01.
> > Looking at the CVE info, this has confused me a lot. It says [1]:
> >
> > Improper access control for volatile memory containing boot code in
> > Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips
> > IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574
> > could allow an attacker to execute arbitrary code.
> >
> > The NVD page says it affects U-Boot "Up to (excluding) 2017.11".
> >
> > But, the patch that says it addresses CVE-2025-24867 was committed to
> > U-Boot in December 2025 [2]. The first release containing this patch was
> > v2026.01.
> >
> > Is this commit actually needed to resolve that CVE? Or is it some other
> > change back in 2017 that fixed the issue? (A yes/no is fine, I don't
> > need a link to the exact commit)
> >
> > [1]: https://nvd.nist.gov/vuln/detail/CVE-2025-24857
> > [2]: https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2
>
> This is a "funny" one. The reference to v2017.11 is due to when we had a
> large rework of the FAT code and so the most obvious way to trigger the
> problem was removed. The changes in commit 87d85139a96a ("fs: fat:
> Perform sanity checks on getsize in get_fatent()") may, or may not, be
> only a sanity check against performing similar attacks. So yes, it would
> make sense for Scarthgap to have this change.
Hi Tom, Simon,
Thanks both for the replies with info on this!
We have accepted the backport of commit 87d85139a96a into our Scarthgap
stable branch so we should now be covered with both belt and braces.
Best regards,
--
Paul Barker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: This is a digitally signed message part
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260518/8a648399/attachment.sig>
More information about the U-Boot
mailing list