Multiple vulnerabilities in the U-Boot FIT image signature verification logic

Anton Ivanov anton at binarly.io
Wed May 20 18:02:19 CEST 2026 

Hi Tom, nice to meet you.

While we understand your concerns about AI-assisted vulnerability research
and AI-generated security reports, we're not sure why you think these
advisories don't require attention.

We have recently started using AI tools for vulnerability research
projects. We use it responsibly, conducting several rounds of human review.
We have confirmed that all the security issues described in these reports
are valid. Furthermore, each advisory contains a PoC section that
demonstrates how the vulnerable code can be triggered to lead to DoS or
arbitrary code execution, as in the case of BRLY-2026-038. We used either
sandbox_defconfig or qemu_arm_defconfig builds to confirm this.

As for the content of the reports, we strongly believe that they contain
the minimum amount of information required to understand the vulnerability,
including the PoC and suggestions for fixes, as well as the other common
information, such as the CVSS score and disclosure timeline. We understand
that this format may feel unusual to you, but this is how we typically
report vulnerabilities. You can find more examples in
https://github.com/binarly-io/Vulnerability-REsearch. Please note that most
of the advisories were created before the AI era.

As an alternative, to save everyone time, we can provide the necessary
patches to resolve these issues. Does this sound good to you?

Thank you,
Anton


On Wed, May 20, 2026 at 3:36 PM Tom Rini <trini at konsulko.com> wrote:

> On Wed, May 20, 2026 at 12:27:00PM +0100, Anton Ivanov wrote:
>
> > Hello U-Boot maintainers,
> >
> > Binarly Research has identified several vulnerabilities affecting the
> > U-Boot FIT image signature verification logic:
> > [BRLY-2026-037] Null pointer dereference and potential stack buffer
> > overflow in U-Boot during FIT image signature verification in
> > `fdt_find_regions`
> > [BRLY-2026-038] Stack buffer underflow in U-Boot during FIT image
> signature
> > verification in `fdt_find_regions`
> > [BRLY-2026-039] Denial of service in U-Boot during FIT image signature
> > verification because of unchecked `size` value of `hashed-strings`
> property
> > [BRLY-2026-040] Denial of service in U-Boot during FIT image signature
> > verification because of null pointer dereference in `fdt_find_regions`
> > [BRLY-2026-041] Denial of service in U-Boot during FIT image signature
> > verification because of unchecked properties of image external data
> > [BRLY-2026-042] Unbounded recursion in `fdt_check_no_at` during FIT
> format
> > validation
> >
> > The detailed reports are attached. Feel free to reach out if you have any
> > further questions.
>
> This sounds like what came in yesterday with:
>
> https://lore.kernel.org/u-boot/0100019e40e72ac1-c3d57c2e-cac3-4f65-a98f-f1c6173c047d-000000@email.amazonses.com/
>
> And so I'll repeat myself here.
>
> First, the current stance of this project with respect to AI is, "please
> don't" and is well explained over on
>
> https://docs.postmarketos.org/policies-and-processes/development/ai-policy.html
>
> Second, if you're going to use an AI tool anyhow, please read
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36d49bba19f2c19c933d13b25dcf4eb607a030b3
> and specifically the section titled "Responsible use of AI to find
> bugs".
>
> Finally, our normal patch submission process is documented at
> https://docs.u-boot.org/en/latest/develop/sending_patches.html
>
> Thanks.
>
> --
> Tom
>

More information about the U-Boot mailing list