CVE-2024-42040Classic Buffer Overflow in U-boot

CWE-120Classic Buffer Overflow7 documents6 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 77.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Denx U-bootDebian U-bootMsrc Azl3 Qemu 8.2.0-16 ON Azure Linux 3.0+1 more
Timeline
PublishedAug 23
Latest updateFeb 23

Description

Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages5 packages

Ubuntudenx/u-boot< 2022.01+dfsg-2ubuntu2.7+1
NVDdenx/u-boot2025.10
debiandebian/u-boot

🔴Vulnerability Details

3
OSV
u-boot vulnerabilities2026-02-23
GHSA
GHSA-xh96-vq46-m9ww: Buffer Overflow vulnerability in the net/bootp2024-08-23
OSV
CVE-2024-42040: Buffer Overflow vulnerability in the net/bootp2024-08-23

📋Vendor Advisories

3
Ubuntu
U-Boot vulnerabilities2026-02-23
Microsoft
Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four 2024-08-13
Debian
CVE-2024-42040: u-boot - Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initia...2024
CVE-2024-42040 — Classic Buffer Overflow in Denx U-boot | cvebase