CVE-2024-57254 – An integer overflow vulnerability in Das U-Boot... (How to Fix)

Q: What is the severity of CVE-2024-57254?

CVE-2024-57254 has a CVSS score of 7.1 (HIGH). An integer overflow vulnerability in Das U-Boot's squashfs filesystem parser allows attackers to cause memory corruption via specially crafted symlink entries. This affects systems using U-Boot bootloader with squashfs support, potentially leading to denial of service or arbitrary code execution during boot. Embedded devices, routers, and IoT devices using vulnerable U-Boot versions are primarily affected.

📋 TL;DR

An integer overflow vulnerability in Das U-Boot's squashfs filesystem parser allows attackers to cause memory corruption via specially crafted symlink entries. This affects systems using U-Boot bootloader with squashfs support, potentially leading to denial of service or arbitrary code execution during boot. Embedded devices, routers, and IoT devices using vulnerable U-Boot versions are primarily affected.

💻 Affected Systems

Products:

Das U-Boot bootloader

Versions: All versions before 2025.01-rc1

Operating Systems: Any OS booted via U-Boot (Linux, BSD, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with squashfs filesystem support enabled in U-Boot configuration. Many embedded devices use this for boot partitions.

📦 What is this software?

U Boot by Denx

View all CVEs affecting U Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker could achieve arbitrary code execution during boot process, potentially compromising the entire system before OS loads, leading to persistent compromise or bricking of device.

🟠

Likely Case

Local attacker with filesystem access could cause boot failure or denial of service by triggering the overflow during boot sequence.

🟢

If Mitigated

With proper access controls and signed boot components, impact limited to denial of service during boot requiring physical recovery.

🌐 Internet-Facing: LOW - Requires local filesystem access or compromised boot media; not directly exploitable over network.

🏢 Internal Only: MEDIUM - Malicious insiders or compromised internal systems could plant crafted squashfs images to affect boot process.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to place crafted squashfs filesystem in boot path. Exploitation depends on memory layout and platform specifics.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.01-rc1 and later

Vendor Advisory: https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d

Restart Required: No

Instructions:

1. Update U-Boot source to 2025.01-rc1 or later. 2. Rebuild U-Boot with your device configuration. 3. Flash updated bootloader to device. 4. Verify boot process completes successfully.

🔧 Temporary Workarounds

Disable squashfs support

all

Remove squashfs filesystem support from U-Boot configuration if not required for boot process.

# In U-Boot configuration: CONFIG_FS_SQUASHFS=n

Secure boot media

all

Implement write protection for boot partitions and verify integrity of squashfs images before boot.

🧯 If You Can't Patch

Implement secure boot with verified boot images to prevent unauthorized squashfs filesystems
Restrict physical and logical access to boot media and configuration interfaces

🔍 How to Verify

Check if Vulnerable:

Check U-Boot version string during boot or via 'version' command in U-Boot console. If version is before 2025.01-rc1 and CONFIG_FS_SQUASHFS is enabled, system is vulnerable.

Check Version:

In U-Boot console: version

Verify Fix Applied:

Verify U-Boot version is 2025.01-rc1 or later and test booting with a squashfs filesystem containing symlinks.

📡 Detection & Monitoring

Log Indicators:

U-Boot boot failures when mounting squashfs partitions
Kernel panic during early boot phase

Network Indicators:

None - this is a local bootloader vulnerability

SIEM Query:

Search for: 'U-Boot panic', 'squashfs error', or boot failure events in system logs

📊 Metadata

CVE ID: CVE-2024-57254

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-190

EPSS Score: 0.07% exploit probability (20.3th percentile)

Published: February 18, 2025

Last Updated: November 3, 2025

🔗 References

https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d Patch
https://www.openwall.com/lists/oss-security/2025/02/17/2 Mailing List,Mitigation,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00001.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57254, you might also want to check these: