Integer Underflow Vulnerability in U-Boot Bootloader by Denx
CVE-2026-29008

8.7HIGH

Key Information:

Vendor

U-boot

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-29008?

The U-Boot bootloader up to version 2026.04-rc3 is susceptible to an integer underflow vulnerability within the tcp_rx_state_machine() function. This flaw allows a network-adjacent adversary to induce a device crash by sending a specifically crafted TCP SYN+ACK packet. Due to the manipulation of the data offset field, the payload length can become negative. When the TCP_SYN_SENT handler executes tcp_rx_user_data() without validating the segment, the negative payload length is mistakenly treated as a large unsigned integer, which gets passed to memcpy() in the store_block() function. This leads to a crash that can prevent the device from booting, and if CONFIG_LMB is disabled, it may also result in memory corruption.

Affected Version(s)

u-boot 0 <= 2026.04-rc3

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.
VulnCheck
.