Six U-Boot Flaws Threaten Embedded Systems with Code Execution and DoS
Researchers uncover six critical vulnerabilities in the U-Boot bootloader, impacting embedded systems and server BMCs with risks of code execution and denial-of-service attacks.

Binarly Research has identified six critical vulnerabilities within the U-Boot bootloader, a fundamental component responsible for initiating the boot process in a vast array of embedded systems and server Baseboard Management Controllers (BMCs). These flaws, discovered in the FIT (Flattened Image Tree) signature verification mechanism, could allow attackers to execute arbitrary code or cause denial-of-service (DoS) conditions, undermining the integrity of the entire system's trust chain.
The vulnerabilities, tracked as BRLY-2026-037 through BRLY-2026-042, stem from issues in how U-Boot processes untrusted boot images before their signatures are fully validated. This pre-validation processing is a critical juncture where flaws can be exploited to bypass security checks entirely. The affected code paths have been present since U-Boot version v2013.07, potentially exposing a significant number of stable releases and vendor-specific forks.
Two of the vulnerabilities, BRLY-2026-037 and BRLY-2026-038, present a risk of arbitrary code execution. BRLY-2026-037 involves a null pointer dereference that can crash the system, but in specific memory-mapped environments, it can be escalated to a stack-based buffer overflow. BRLY-2026-038 allows for a stack buffer underflow due to improper handling of negative length values, enabling attackers to overwrite return addresses and execute malicious code during the boot sequence.
The remaining four vulnerabilities primarily lead to DoS conditions. BRLY-2026-039 and BRLY-2026-040 exploit unchecked size fields and legacy FIT format parsing, respectively, causing excessive memory reads or immediate parsing failures that crash the system. BRLY-2026-041 allows attackers to manipulate external data references, pointing to invalid memory or requesting oversized reads, resulting in system instability. Finally, BRLY-2026-042 involves an unbounded recursive function that can exhaust stack memory when processing complex FIT image structures, leading to a DoS.
A significant aspect of these vulnerabilities is that they are triggered during the processing of a malicious FIT image *before* the signature verification is complete. This means an attacker can craft an image that bypasses trust checks from the outset. While physical access is often assumed for such low-level attacks, Binarly highlights that firmware update mechanisms, particularly on insecure BMC interfaces, could be exploited remotely to upload and flash malicious images.
The potential impact is severe, ranging from rendering devices unbootable to deploying stealthy firmware implants that operate below the operating system level, evading conventional security solutions. Binarly Research has coordinated with U-Boot maintainers, and patches for all six vulnerabilities have been developed and merged into the mainline U-Boot repository.
Users and organizations relying on U-Boot are strongly advised to update to patched versions or backport the fixes immediately. Given U-Boot's widespread adoption across diverse hardware, these vulnerabilities represent a substantial supply chain risk. Many devices may remain vulnerable due to outdated firmware or unmaintained vendor forks, underscoring the critical need for continuous firmware security analysis and robust validation of boot components.