Cyber Security

Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices

Cybersecurity researchers have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader.

The issues, which were uncovered in the IP defragmentation algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS).

U-Boot is a boot loader used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader.


The issues are summarized below –

  • CVE-2022-30790 (CVSS score: 9.6) – Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive.
  • CVE-2022-30552 (CVSS score: 7.1) – Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code

It’s worth noting that both the flaws are exploitable only from the local network. But doing so can enable an attacker to root the devices and lead to a DoS by crafting a malformed packet.

The shortcomings are expected to be addressed by U-boot maintainers in an upcoming patch, following which users are recommended to update to the latest version.

Products You May Like

Articles You May Like

NASA Launches First of Three Rockets to Investigate Alpha Centauri, Study Habitable Star Conditions
Samsung 55-inch QN95B Neo QLED Ultra-HD Mini LED TV Review: The Futuristic Flagship TV
Microsoft Announces Support For Windows 8.1 to End in January 2023
54 Percent in India Turn to Social Media for Factual Info, Says OUP Study
Noise Expects to Make Its Revenue Double to Rs. 2,000 Crore in Current Fiscal Year

Leave a Reply

Your email address will not be published.