Multiple vulnerabilities in the U-Boot FIT image signature verification logic
Tom Rini
trini at konsulko.com
Wed May 20 16:36:39 CEST 2026
On Wed, May 20, 2026 at 12:27:00PM +0100, Anton Ivanov wrote:
> Hello U-Boot maintainers,
>
> Binarly Research has identified several vulnerabilities affecting the
> U-Boot FIT image signature verification logic:
> [BRLY-2026-037] Null pointer dereference and potential stack buffer
> overflow in U-Boot during FIT image signature verification in
> `fdt_find_regions`
> [BRLY-2026-038] Stack buffer underflow in U-Boot during FIT image signature
> verification in `fdt_find_regions`
> [BRLY-2026-039] Denial of service in U-Boot during FIT image signature
> verification because of unchecked `size` value of `hashed-strings` property
> [BRLY-2026-040] Denial of service in U-Boot during FIT image signature
> verification because of null pointer dereference in `fdt_find_regions`
> [BRLY-2026-041] Denial of service in U-Boot during FIT image signature
> verification because of unchecked properties of image external data
> [BRLY-2026-042] Unbounded recursion in `fdt_check_no_at` during FIT format
> validation
>
> The detailed reports are attached. Feel free to reach out if you have any
> further questions.
This sounds like what came in yesterday with:
https://lore.kernel.org/u-boot/0100019e40e72ac1-c3d57c2e-cac3-4f65-a98f-f1c6173c047d-000000@email.amazonses.com/
And so I'll repeat myself here.
First, the current stance of this project with respect to AI is, "please
don't" and is well explained over on
https://docs.postmarketos.org/policies-and-processes/development/ai-policy.html
Second, if you're going to use an AI tool anyhow, please read
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36d49bba19f2c19c933d13b25dcf4eb607a030b3
and specifically the section titled "Responsible use of AI to find
bugs".
Finally, our normal patch submission process is documented at
https://docs.u-boot.org/en/latest/develop/sending_patches.html
Thanks.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260520/f9eee368/attachment.sig>
More information about the U-Boot
mailing list