Login Sign Up

CVE-2024-57258

7.1 HIGH
Denial of Service

📋 TL;DR

Integer overflow vulnerabilities in Das U-Boot's memory allocation functions allow attackers to cause heap corruption via specially crafted squashfs filesystems. This affects systems using U-Boot bootloader before version 2025.01-rc1, potentially leading to arbitrary code execution during boot process.

💻 Affected Systems

Products:
  • Das U-Boot (Universal Boot Loader)
Versions: All versions before 2025.01-rc1
Operating Systems: Any OS booted via U-Boot (Linux, BSD, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using squashfs filesystem support in U-Boot. x86_64 systems are specifically mentioned but other architectures may be affected.

📦 What is this software?

U Boot by Denx

View all CVEs affecting U Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution during boot, allowing persistent malware installation or bricking of device.

🟠

Likely Case

System instability, crashes during boot process, or denial of service preventing normal system startup.

🟢

If Mitigated

Limited impact if system has secure boot enabled and proper memory protections, though boot failures may still occur.

🌐 Internet-Facing: LOW - Requires local access or ability to modify boot media/filesystem.
🏢 Internal Only: MEDIUM - Malicious insiders or compromised internal systems could exploit if they can modify boot files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to craft malicious squashfs filesystem and place it where U-Boot can access it during boot.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.01-rc1 and later

Vendor Advisory: https://lists.denx.de/pipermail/u-boot/2025-February/556000.html

Restart Required: No

Instructions:

1. Update U-Boot source to 2025.01-rc1 or later. 2. Rebuild U-Boot with updated source. 3. Flash new U-Boot binary to device. 4. Verify boot process completes successfully.

🔧 Temporary Workarounds

Disable squashfs support

all

Remove squashfs filesystem support from U-Boot configuration to prevent exploitation vector.

make menuconfig
Navigate to Filesystem support -> SquashFS support and disable
make

🧯 If You Can't Patch

  • Disable automatic loading of squashfs filesystems during boot
  • Implement secure boot with verified boot media only

🔍 How to Verify

Check if Vulnerable:

Check U-Boot version: 'version' command at U-Boot prompt or examine binary headers. If version is before 2025.01-rc1 and squashfs support is enabled, system is vulnerable.

Check Version:

At U-Boot prompt: 'version' or 'bdinfo'

Verify Fix Applied:

Verify U-Boot version is 2025.01-rc1 or later and test booting with a squashfs filesystem to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

  • U-Boot boot failures when loading squashfs
  • Kernel panic during early boot
  • Memory allocation errors in boot logs

Network Indicators:

  • None - local exploitation only

SIEM Query:

Search for: 'U-Boot crash', 'boot failure', 'squashfs error' in system logs during boot sequence

📊 Metadata

CVE ID: CVE-2024-57258
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-190
EPSS Score: 0.04% exploit probability (13th percentile)
Published: February 18, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57258, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)