🟠 High  |  Source: The Hacker News


Researchers at Binarly have identified six vulnerabilities in U-Boot, the open-source bootloader widely used in routers, smart cameras, and server management chips. Four flaws can cause devices to crash, while two could allow an attacker who controls a malicious firmware image to execute arbitrary code before the operating system loads. Because exploitation occurs at boot time, traditional OS-level security controls offer no protection.

Security Architect’s Take: Audit your supply chain for devices and server BMCs (e.g. iDRAC, iLO, BMC) that use U-Boot and track vendor patch availability immediately. Enforce secure boot and image signing policies to ensure only cryptographically verified firmware images are presented to the bootloader, mitigating the code-execution variants.

Original advisory: Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot