CVE-2024-42040

EUVD-2024-39870
Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA-ADPADP
8.1 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Debian logo
Debian Releases
Debian Product
Codename
u-boot
bookworm
postponed
bullseye
postponed
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
postponed
Common Weakness Enumeration
References
https://github.com/u-boot/u-boot/tags
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt
http://seclists.org/fulldisclosure/2024/Aug/38