๐Ÿ” CVE Alert

CVE-2026-29009

HIGH 8.2

U-Boot 2026.04-rc3 Buffer Overflow in nfs_readlink_reply() via NFS READLINK

CVSS Score
8.2
EPSS Score
0.0%
EPSS Percentile
0th

U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.

CWE CWE-120
Vendor u-boot
Product u-boot
Published Jul 8, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for u-boot u-boot

Be the first to know when new high vulnerabilities affecting u-boot u-boot are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Affected Versions

u-boot / u-boot
0 โ‰ค 2026.04-rc3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
y637f9qq2x.com: https://y637f9qq2x.com/posts/u-boot-tcp-nfs-vulns/ lists.denx.de: https://lists.denx.de/pipermail/u-boot/2026-May/617853.html u-boot.org: https://u-boot.org/ vulncheck.com: https://www.vulncheck.com/advisories/u-boot-rc3-buffer-overflow-in-nfs-readlink-reply-via-nfs-readlink

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. VulnCheck