Launchpad.net

CVE 2022-2347

There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.

Related bugs and status

CVE-2022-2347 (Candidate) is related to these bugs:

Bug #1999039: Please merge u-boot 2022.10+dfsg-1 from Debian unstable.

Summary				In	Importance	Status
	1999039	Please merge u-boot 2022.10+dfsg-1 from Debian unstable.		u-boot (Ubuntu)	Undecided	Fix Released

Bug #2027789: Please merge u-boot 2023.07+dfsg-1 from Debian unstable.

Summary				In	Importance	Status
	2027789	Please merge u-boot 2023.07+dfsg-1 from Debian unstable.		u-boot (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://seclists.org/o...