CVE-2026-29008
Received Received - Intake

Integer Underflow in U-Boot Bootloader via TCP SYN+ACK

Vulnerability report for CVE-2026-29008, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a manipulated data offset field causing payload_len to become negative. When the TCP_SYN_SENT handler calls tcp_rx_user_data() without invoking tcp_seg_in_wnd() validation, the negative payload_len is implicitly converted to a large unsigned integer (e.g., 0xFFFFFFD8) and passed to memcpy() in store_block(), causing an immediate crash that prevents device boot and may enable memory corruption when CONFIG_LMB is disabled.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
denx u-boot to 2026.04-rc3 (inc)
u-boot u-boot to 2026.04-rc3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-29008 is an integer underflow vulnerability in the U-Boot bootloader, specifically in the tcp_rx_state_machine() function. A network-adjacent attacker can exploit this by sending a malformed TCP SYN+ACK packet with a manipulated data offset field. This causes the payload_len variable to become negative, which is then implicitly converted to a large unsigned integer and passed to memcpy(), leading to an immediate crash of the bootloader.

This crash prevents the device from booting and may also enable memory corruption if a certain configuration (CONFIG_LMB) is disabled.

Impact Analysis

The vulnerability can cause an immediate crash of the bootloader, preventing the affected device from booting properly.

Additionally, if the CONFIG_LMB setting is disabled, the vulnerability may allow memory corruption, which could lead to further unpredictable behavior or exploitation.

Detection Guidance

This vulnerability can be detected by monitoring for malformed TCP SYN+ACK packets with manipulated data offset fields on the network, as these packets trigger the integer underflow in the tcp_rx_state_machine() function.

Specifically, network traffic analysis tools or packet capture utilities can be used to identify suspicious TCP SYN+ACK packets that do not conform to standard TCP header formats.

Commands that could be used include:

  • Using tcpdump to capture TCP SYN+ACK packets: tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)' -i <interface>
  • Using Wireshark or tshark to analyze the data offset field in TCP headers for anomalies.
  • Inspecting system logs or bootloader crash reports for signs of immediate crashes or boot failures related to TCP packet processing.
Mitigation Strategies

Immediate mitigation steps include preventing the exploitation of the vulnerability by filtering or blocking malformed TCP SYN+ACK packets with manipulated data offset fields at the network perimeter.

Additionally, updating U-Boot to a version later than 2026.04-rc3 where this vulnerability is fixed is recommended once a patch is available.

If updating is not immediately possible, disabling network access to the affected device or restricting access to trusted networks can reduce the risk.

Monitoring device boot behavior for crashes and memory corruption symptoms can help in early detection of exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart