CVE-2026-29009
Received Received - Intake

Buffer Overflow in U-Boot NFS Client

Vulnerability report for CVE-2026-29009, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
denx u-boot to 2026.04-rc3 (inc)
u-boot u-boot to 2026.04-rc3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-29009 is a high-severity buffer overflow vulnerability found in U-Boot versions up to and including 2026.04-rc3. It occurs in the function nfs_readlink_reply() within the NFS client implementation when the CONFIG_CMD_NFS option is enabled.

The vulnerability arises because the 2048-byte buffer nfs_path_buff does not properly validate the cumulative length of appended relative symlink targets. An attacker controlling or compromising an NFS server can send multiple READLINK responses with large relative symlink targets (around 1100 bytes each), causing the buffer to overflow.

This overflow corrupts adjacent variables in memory, such as nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially leading to memory corruption and allowing the attacker to manipulate the NFS client's state machine.

Impact Analysis

Exploitation of this vulnerability can lead to memory corruption within the NFS client, which may allow an attacker to gain control over the client's state machine.

This could result in unauthorized manipulation of network file system operations, potentially causing denial of service, data corruption, or other unpredictable behavior in systems using the affected U-Boot versions with NFS enabled.

Mitigation Strategies

To mitigate this vulnerability, ensure that the affected U-Boot versions up to and including 2026.04-rc3 are updated or patched to a version where the buffer overflow in nfs_readlink_reply() is fixed.

If updating is not immediately possible, consider disabling the CONFIG_CMD_NFS option to prevent the vulnerable NFS client code from being enabled.

Additionally, avoid connecting to untrusted or potentially malicious NFS servers, as exploitation requires a compromised or malicious NFS server to send crafted READLINK responses.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart