A 13-Year-Old Bug in U-Boot Puts Millions of Devices at Risk

There’s a quiet assumption that your router, server, or IoT device is secure because it boots into a trusted operating system. But what if the compromise happens before the OS even loads?

Firmware security company Binarly published a report on July 9 detailing six high-severity vulnerabilities in U-Boot, the most widely used open-source bootloader in the embedded world. Two of them allow arbitrary code execution. Four can crash devices into an unbootable state. And the vulnerable code has been sitting in the source tree since July 2013.

U-Boot bootloader vulnerability analysis

U-Boot handles the moment between power-on and OS launch — initializing CPUs, memory, and peripherals. Its “Verified Boot” mechanism is supposed to use cryptographic signatures to ensure only trusted firmware is loaded. The six vulnerabilities, tracked as BRLY-2026-037 through BRLY-2026-042, all reside in the code that parses FIT (Flattened Image Tree) image signatures. An attacker who can craft a malicious FIT image can trigger the flaws before signature verification completes.

The two most dangerous bugs, BRLY-2026-037 and BRLY-2026-038, share a root cause: U-Boot fails to validate the return value of the fdt_get_name function in its device tree parsing library. When fed a carefully malformed image, the function returns a null pointer and a negative length value — and U-Boot uses them directly. In BRLY-2026-037, that null pointer can escalate into a stack buffer overflow under the right memory layout. BRLY-2026-038 is more insidious: the negative length value causes a pointer to walk backward in memory, eventually overwriting a return address. Binarly’s researchers demonstrated a working exploit for BRLY-2026-038 in a QEMU ARM emulation environment.

The other four vulnerabilities are less glamorous but still damaging. BRLY-2026-039 and BRLY-2026-041 let an attacker force U-Boot to read out-of-bounds memory until it crashes, simply by controlling image size or offset fields. BRLY-2026-040 triggers a null-pointer dereference when parsing older-format images. BRLY-2026-042 exploits deeply nested image structures to cause unbounded recursion — each nested level needs just 12 bytes of image data to consume at least 16 bytes of stack space, making for a cheap denial-of-service attack.

An attacker who successfully exploits a code-execution vulnerability gains control of the device before the operating system or any security software starts. That means they can disable security features, tamper with the boot chain, or install persistent firmware backdoors that are nearly impossible to detect from within the OS. And physical access isn’t always required — in server BMC (Baseboard Management Controller) environments that support remote firmware updates, an attacker who already has management interface access can upload a malicious firmware image remotely.

The DoS vulnerabilities are equally nasty. Devices hit by these bugs may become completely unbootable. Depending on the hardware, recovery may require physical access and re-flashing the SPI flash chip.

Binarly reported the vulnerabilities to the U-Boot security team and worked with maintainers Simon Glass and Tom Rini to develop and review all six patches. The fixes have been merged into the U-Boot main branch.

Here’s the hard part: U-Boot isn’t distributed directly to users. Hardware vendors integrate it into their own firmware builds, then ship it through their own update channels. Every vendor that uses an affected U-Boot version — and the vulnerable code spans over 50 stable releases — needs to adapt the patches, test them, and push them out. Devices that have stopped receiving firmware updates will likely never be patched at all.