Back to overview

CVE-2026-29009

HIGH
8.2
CVSS 3.1
Description
U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.

Metadata

CVE ID
CVE-2026-29009
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-03-03 16:42 UTC
Published
2026-07-08 16:16 UTC
Last updated
2026-07-08 16:39 UTC
Primary CWE
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer …
Vendor / Product
u-boot / u-boot
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
u-boot u-boot 0 ≤ 2026.04-rc3
Weakness (CWE)
CWESourceDescription
CWE-120 cna Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
8.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Back to overview