๐Ÿ” CVE Alert

CVE-2026-29008

HIGH 7.5

U-Boot 2026.04-rc3 Integer Underflow DoS via tcp_rx_state_machine()

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a manipulated data offset field causing payload_len to become negative. When the TCP_SYN_SENT handler calls tcp_rx_user_data() without invoking tcp_seg_in_wnd() validation, the negative payload_len is implicitly converted to a large unsigned integer (e.g., 0xFFFFFFD8) and passed to memcpy() in store_block(), causing an immediate crash that prevents device boot and may enable memory corruption when CONFIG_LMB is disabled.

CWE CWE-191
Vendor u-boot
Product u-boot
Published Jul 8, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for u-boot u-boot

Be the first to know when new high vulnerabilities affecting u-boot u-boot are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

u-boot / u-boot
0 โ‰ค 2026.04-rc3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
y637f9qq2x.com: https://y637f9qq2x.com/posts/u-boot-tcp-nfs-vulns/ lists.denx.de: https://lists.denx.de/pipermail/u-boot/2026-May/617853.html u-boot.org: https://u-boot.org/ vulncheck.com: https://www.vulncheck.com/advisories/u-boot-rc3-integer-underflow-dos-via-tcp-rx-state-machine

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. VulnCheck