CVE-2026-29007 in U-Boot
Summary
by MITRE • 07/08/2026
U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp_rx_state_machine() (net/tcp.c) when CONFIG_PROT_TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet with a mismatched IP total length and TCP data offset field. Attackers can send a packet with an IP total length of 40 bytes and a TCP data offset claiming 60 bytes of header to cause tcp_parse_options() to read 40 bytes past the end of the TCP segment, potentially corrupting connection state variables such as rmt_win_scale and rmt_timestamp to disrupt TCP window calculations.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability under discussion represents a critical out-of-bounds read condition within U-Boot's TCP implementation that resides in the tcp_rx_state_machine() function located in net/tcp.c. This flaw becomes exploitable when the CONFIG_PROT_TCP configuration option is enabled, creating a scenario where remote attackers can manipulate TCP packet structures to trigger memory access violations. The core issue stems from improper validation of packet headers, specifically the mismatch between IP total length and TCP data offset fields that allows for arbitrary memory reads beyond legitimate segment boundaries.
The technical exploitation mechanism relies on crafting malicious TCP packets with deliberately inconsistent header values where the IP total length field indicates a segment size of 40 bytes while the TCP data offset field claims 60 bytes of header space. This discrepancy causes the tcp_parse_options() function to attempt reading 40 bytes beyond the actual TCP segment boundaries, resulting in memory corruption that affects critical connection state variables. The vulnerability operates at the network protocol level within U-Boot's TCP stack implementation and demonstrates a classic buffer over-read condition that falls under CWE-125 out-of-bounds read.
Operational impact of this vulnerability extends beyond simple memory corruption to potentially disrupt network communications and TCP window scaling calculations that are fundamental to network performance. The affected state variables including rmt_win_scale and rmt_timestamp directly influence how TCP connections manage flow control and window sizing, meaning attackers could cause connection instability or complete disruption of network services. This type of vulnerability represents a significant threat in embedded systems environments where U-Boot serves as the primary boot loader and network stack manager.
The attack vector for this vulnerability is particularly concerning as it requires only remote packet crafting capabilities without any authentication requirements, making it suitable for exploitation in various network scenarios including man-in-the-middle attacks or network-based denial-of-service conditions. Network administrators should note that this vulnerability affects U-Boot versions through 2026.04-rc3, indicating the issue has persisted across multiple development cycles and requires immediate attention from system maintainers. The vulnerability's classification aligns with ATT&CK technique T1059.007 for remote code execution via network protocols and T1499.004 for network disruption attacks.
Mitigation strategies should focus on implementing proper input validation within the TCP parsing functions to ensure that IP total length and TCP data offset fields are consistent before any memory operations occur. The most effective solution involves updating U-Boot to a patched version that properly validates header field consistency or disabling the CONFIG_PROT_TCP option if TCP protocol support is not essential for the specific deployment environment. Additionally, network monitoring systems should be configured to detect anomalous packet patterns that might indicate exploitation attempts targeting this vulnerability. Organizations should also consider implementing network segmentation and access controls to limit exposure of affected systems while patches are deployed, as this vulnerability represents a significant risk to embedded network infrastructure security.