CVE-2024-42040

NameCVE-2024-42040
DescriptionBuffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1081557

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
u-boot (PTS)jessie2014.10+dfsg1-5vulnerable
stretch2016.11+dfsg1-4vulnerable
buster2019.01+dfsg-7vulnerable
bullseye2021.01+dfsg-5vulnerable
bookworm2023.01+dfsg-2+deb12u1vulnerable
sid, trixie2024.01+dfsg-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
u-bootsourcejessie(unfixed)end-of-life
u-bootsource(unstable)(unfixed)1081557

Notes

[bookworm] - u-boot <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - u-boot <postponed> (Minor issue; can be fixed in next update)
https://lists.denx.de/pipermail/u-boot/2024-August/562528.html
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt
[buster] - u-boot <postponed> (Minor issue)
[stretch] - u-boot <postponed> (Minor issue)

Search for package or bug name: Reporting problems