CVE-2022-2347

HIGH

UBoot - Buffer Overflow

Title source: llm

Description

There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.

References (2)

Core 2

Core References

Exploit, Mailing List, Third Party Advisory x_refsource_misc

https://seclists.org/oss-sec/2022/q3/41

Mailing List

https://lists.debian.org/debian-lts-announce/2025/05/msg00001.html

Scores

CVSS v3 7.7

EPSS 0.0004

EPSS Percentile 10.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-122 CWE-787

Status published

Products (1)

denx/u-boot 2012.10 - 2022.07

Published Sep 23, 2022

Tracked Since Feb 18, 2026