CVE-2025-24857 — Improper Access Control in U-boot

CWE-284 — Improper Access Control CWE-362 — Race Condition7 documents7 sources

Severity

7.6HIGHNVD

EPSS

0.0%

top 89.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Denx U-boot Debian U-boot Msrc Azl3 Kernel 6.6.35.1-4 ON Azure Linux 3.0 +1 more

Timeline

PublishedDec 10

Latest updateMar 5

Description

Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 0.9 | Impact: 6.0

Affected Packages5 packages

▶NVDdenx/u-boot< 2017.11

▶debiandebian/u-boot< u-boot 2017.11+dfsg1-2 (bookworm)

▶Debiandenx/u-boot< 2017.11+dfsg1-2+3

▶msrcmsrc/azl3_kernel_6.6.35.1-4_on_azure_linux_3.0

▶msrcmsrc/azl3_kernel_6.6.78.1-1_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-v72w-97m6-622r: Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017↗2025-12-10

▶

OSV

CVE-2025-24857: Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017↗2025-12-10

▶

📋Vendor Advisories

CISA ICS

Universal Boot Loader (U-Boot) (Update A)↗2026-03-05

▶

Debian

CVE-2025-24857: u-boot - Improper access control for volatile memory containing boot code in Universal Bo...↗2025

▶

Microsoft

Race condition vulnerability in Linux kernel bluetooth in conn_info_{minmax}_age_set()↗2024-02-13

▶

🕵️Threat Intelligence

Wiz

CVE-2025-24857 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶