CVE-2026-29009 in U-Bootinfo

Summary

by MITRE • 07/08/2026

U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability under discussion represents a critical buffer overflow flaw in U-Boot versions up to 2026.04-rc3 that specifically affects systems utilizing Network File System (NFS) functionality through the CONFIG_CMD_NFS configuration option. This issue resides within the nfs_readlink_reply() function located in net/nfs-common.c, where the implementation fails to validate cumulative lengths when processing multiple relative symlink targets returned by NFS servers. The flaw manifests when a malicious or compromised NFS server sends multiple READLINK responses containing relative symlink targets of approximately 1100 bytes each, creating a scenario where the 2048-byte nfs_path_buff buffer becomes insufficient for handling the concatenated data.

The technical execution of this vulnerability leverages the absence of length validation during the processing of symbolic link resolution operations within the NFS client implementation. When multiple relative symlink targets are received and appended to the fixed-size nfs_path_buff buffer without checking cumulative length constraints, the system experiences memory corruption beyond the intended buffer boundaries. This overflow directly impacts adjacent BSS (Block Started by Symbol) variables that store critical NFS client state information including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id. The nature of this vulnerability aligns with CWE-121 Stack-based Buffer Overflow, where insufficient bounds checking allows attackers to overwrite adjacent memory locations.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to manipulate the NFS client state machine through controlled overwrites of critical variables. When the nfs_server_ip and related port configuration variables are overwritten, an attacker could redirect subsequent NFS operations to malicious servers or manipulate connection parameters. Similarly, corruption of nfs_state and rpc_id variables could disrupt the normal operation of the NFS client implementation, potentially leading to denial of service conditions or more sophisticated attack vectors where state manipulation enables further exploitation. This vulnerability falls under ATT&CK technique T1059 Command and Scripting Interpreter, as it enables attackers to manipulate client-side execution flow through memory corruption, and T1210 Exploitation of Remote Services, given that the attack vector originates from a remote NFS server.

The mitigation strategies for this vulnerability require immediate attention through software updates to U-Boot versions that address the buffer overflow in nfs_readlink_reply(). Organizations should implement network segmentation and access controls to limit exposure to untrusted NFS servers, particularly in environments where embedded systems may encounter potentially malicious network services. Additionally, monitoring for unusual NFS traffic patterns and implementing intrusion detection systems can help identify potential exploitation attempts. The fix should include implementing cumulative length validation for symlink target concatenation, establishing proper bounds checking mechanisms, and potentially introducing dynamic buffer allocation to handle variable-length symlink targets. Security teams should also consider disabling CONFIG_CMD_NFS in environments where NFS functionality is not strictly required, reducing the attack surface while awaiting comprehensive patches.

Responsible

VulnCheck

Reservation

03/03/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!