High severity7.8NVD Advisory· Published Aug 6, 2019· Updated May 12, 2026

CVE-2019-13106

Description

Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution.

Affected products

Denx/U Boot6 versions
cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*range: >=2016.09,<=2019.04
- cpe:2.3:a:denx:u-boot:2019.07:-:*:*:*:*:*:*
- cpe:2.3:a:denx:u-boot:2019.07:rc1:*:*:*:*:*:*
- cpe:2.3:a:denx:u-boot:2019.07:rc2:*:*:*:*:*:*
- cpe:2.3:a:denx:u-boot:2019.07:rc3:*:*:*:*:*:*
- cpe:2.3:a:denx:u-boot:2019.07:rc4:*:*:*:*:*:*
OpenSUSE/Leap2 versions
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.denx.de/pipermail/u-boot/2019-July/375516.htmlnvdMailing ListPatch
lists.opensuse.org/opensuse-security-announce/2019-10/msg00002.htmlnvdMailing ListThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2019-10/msg00004.htmlnvdMailing ListThird Party Advisory
gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75nvdThird Party Advisory
github.com/u-boot/u-boot/commits/masternvdProduct
cert-portal.siemens.com/productcert/html/ssa-577017.htmlnvd

News mentions

Siemens Ruggedcom Rox
CISA Alerts

cvss	0.507
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000