Integer Underflow Vulnerability in U-Boot Bootloader by Denx
CVE-2026-29008
What is CVE-2026-29008?
The U-Boot bootloader up to version 2026.04-rc3 is susceptible to an integer underflow vulnerability within the tcp_rx_state_machine() function. This flaw allows a network-adjacent adversary to induce a device crash by sending a specifically crafted TCP SYN+ACK packet. Due to the manipulation of the data offset field, the payload length can become negative. When the TCP_SYN_SENT handler executes tcp_rx_user_data() without validating the segment, the negative payload length is mistakenly treated as a large unsigned integer, which gets passed to memcpy() in the store_block() function. This leads to a crash that can prevent the device from booting, and if CONFIG_LMB is disabled, it may also result in memory corruption.
Affected Version(s)
u-boot 0 <= 2026.04-rc3
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
