CVE-2026-29007
Received Received - Intake

U-Boot TCP Out-of-Bounds Read in tcp_rx_state_machine

Vulnerability report for CVE-2026-29007, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp_rx_state_machine() (net/tcp.c) when CONFIG_PROT_TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet with a mismatched IP total length and TCP data offset field. Attackers can send a packet with an IP total length of 40 bytes and a TCP data offset claiming 60 bytes of header to cause tcp_parse_options() to read 40 bytes past the end of the TCP segment, potentially corrupting connection state variables such as rmt_win_scale and rmt_timestamp to disrupt TCP window calculations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
denx u-boot to 2026.04-rc3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-29007 is an out-of-bounds read vulnerability in the tcp_rx_state_machine() function of U-Boot versions up to 2026.04-rc3 when the CONFIG_PROT_TCP option is enabled.

An attacker can send a specially crafted TCP packet where the IP total length is set to 40 bytes but the TCP data offset claims 60 bytes of header. This mismatch causes the tcp_parse_options() function to read 40 bytes beyond the actual TCP segment boundary.

This out-of-bounds read can corrupt important connection state variables such as rmt_win_scale and rmt_timestamp, which are used in TCP window calculations.

Impact Analysis

The vulnerability can lead to corruption of TCP connection state variables, which may disrupt TCP window calculations.

This disruption can cause instability in network connections or potentially lead to denial-of-service (DoS) conditions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29007. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart