Vulnerabilities in Boot-Time Image Parsing
Security researchers at Binarly have identified six new vulnerabilities in the U-Boot bootloader, a foundational piece of software used to start everything from home routers and smart cameras to server management controllers. The flaws are all triggered during the parsing of a boot image, specifically before the digital signature on that image has been verified. Four of the bugs can cause a device to crash, while the remaining two could allow an attacker to execute arbitrary code.
The two most critical bugs, tracked as BRLY-2026-037 and BRLY-2026-038, stem from a single unchecked return value in a function called fdt_get_name. When U-Boot processes a malformed image, this function can return a null pointer and a negative length. The bootloader uses both values without any verification, leading to memory corruption. In certain memory layouts, this corruption can be exploited to gain control of the device’s execution flow before the operating system even begins to load.
Impact and Remediation
Successful exploitation of the code execution bugs could subvert the entire chain of trust on an affected device. Because the code runs at such an early stage, it sits below the operating system where conventional security tools cannot detect it. For a crash, recovery typically requires physical access to reflash the device’s memory chip. However, researchers note that attack delivery is not trivial. While local access is common, remote exploitation is possible if an attacker can compromise a device’s management interface and use its update process to flash a malicious image.
The patches for all six vulnerabilities were merged into the U-Boot source code in June 2026. However, the official v2026.07 release had already been finalized before the fixes were integrated, so it ships without them. The next scheduled release is v2026.10 in October. In the interim, users of devices built on U-Boot must rely on firmware updates from their product vendors. This situation mirrors past bootloader flaws like BootHole and LogoFAIL, where the challenge is not writing the patch but distributing it across millions of devices running vendor-customized firmware.
Source: The Hacker News
