Out-of-Bounds Read Vulnerability in U-Boot by DENX
CVE-2026-29007

6.9MEDIUM

Key Information:

Vendor

U-boot

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-29007?

The U-Boot bootloader up to version 2026.04-rc3 is susceptible to an out-of-bounds read vulnerability within the tcp_rx_state_machine() function. This flaw occurs when CONFIG_PROT_TCP is enabled, enabling remote attackers to exploit it by sending specially crafted TCP packets. The attackers can manipulate the IP total length and the TCP data offset, causing the tcp_parse_options() function to read beyond the intended boundaries. This could lead to the corruption of critical connection state variables, potentially disrupting TCP window calculations and undermining the stability and security of network communications.

Affected Version(s)

u-boot 0 <= 2026.04-rc3

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.
VulnCheck
.