CVE-2019-13106 — Out-of-bounds Write in U-boot

CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.8%

top 25.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Denx U-boot Debian U-boot Opensuse Leap

Timeline

PublishedAug 6

Latest updateMay 24

Description

Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/u-boot< u-boot 2020.01+dfsg-1 (bookworm)

▶Debiandenx/u-boot< 2020.01+dfsg-1+3

▶NVDdenx/u-boot2016.09 — 2019.04+1

▶NVDopensuse/leap15.0, 15.1+1

Patches

Patch: lists.denx.de ↗Patch: lists.denx.de ↗

🔴Vulnerability Details

GHSA

GHSA-r4g9-3p6p-387v: Das U-Boot versions 2016↗2022-05-24

▶

OSV

CVE-2019-13106: Das U-Boot versions 2016↗2019-08-06

▶

📋Vendor Advisories

Debian

CVE-2019-13106: u-boot - Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while...↗2019

▶