Six U-Boot Bugs Let Malicious Images Hijack Boot

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Binarly disclosed six U-Boot flaws tracked as BRLY-2026-037 through BRLY-2026-042: two enable code execution before the boot signature is checked, while four only crash the device.
- The two code-execution bugs (BRLY-2026-037 and -038) trace to U-Boot's unchecked use of fdt_get_name from libfdt, where a null pointer drives a stack buffer overflow and a negative length feeds pointer arithmetic that overwrites a saved return address.
- U-Boot's vulnerable code has shipped since version v2013.07, spanning more than 50 stable releases and countless vendor firmware builds.
- U-Boot maintainers merged all six patches in June, but the July release (v2026.07) had already frozen in April, so fixes won't ship in an upstream release until v2026.10 in October.
- The fdt_get_name helper lives in libfdt, which the Linux kernel, barebox, and other projects also use, meaning the same unchecked-return pattern could resurface wherever that code is reused.
- The same Binarly researcher previously showed remote attackers could flash malicious images to Supermicro server management controllers via their own update process, suggesting code execution at boot doesn't always require physical access.
Why it matters: With U-Boot's v2026.07 already frozen before the June patch merge, fixes won't reach upstream users until v2026.10 in October—leaving routers, cameras, and server BMCs on any of 50+ affected releases exploitable by anyone who can deliver a malicious image, while end-device fixes depend entirely on each vendor pushing a firmware update.

