Six vulnerabilities in the widely used U-Boot bootloader have been discovered that could allow attackers to execute malicious code during device boot, potentially enabling stealthy firmware attacks that compromise security protections and install persistent malware.
U-Boot is one of the world’s most widely used open-source bootloaders and is found in many embedded Linux devices, including enterprise servers’ Baseboard Management Controllers (BMCs), networking equipment, industrial systems, IoT devices, and other appliances.
Because U-Boot is responsible for loading the operating system, vulnerabilities in the bootloader can allow attackers to compromise a device before the operating system and its security software have a chance to start.
One of its security features, known as Verified Boot, uses cryptographic signatures to ensure that only firmware and operating system images signed by a trusted key are loaded during startup.
In a report published this week, firmware security company Binarly disclosed six vulnerabilities in U-Boot’s FIT (Flattened Image Tree) signature verification code.
“Recognising the critical nature of this component, the Binarly Research team decided to examine the core functionality of the U-Boot project more closely,” explains Binarly.
“This research revealed six distinct vulnerabilities, ranging in impact from denial of service (DoS) to arbitrary code execution during the verification of an untrusted image.”
According to the researchers, two of the flaws can potentially lead to arbitrary code execution during firmware verification, while the remaining four can be exploited to crash vulnerable devices.
As these flaw impact the code for validating firmware images before the operating system starts, if an attacker can exploit that process, they may be able to execute malicious code before the operating system loads.
According to Binarly, most of the vulnerable code has existed since U-Boot version 2013.07, causing the flaws to potentially affect more than 50 releases of the project as well as vendors who utilized the vulnerable code in their own firmware.
“This means that they potentially affect over 50 stable releases of the U-Boot project. Counting many downstream vendor forks, these vulnerabilities have a significant impact on the industry,” explains Binarly.
If successfully exploited, the arbitrary code execution vulnerabilities could allow attackers to execute code during the earliest stages of the boot process.
Because this occurs before the operating system loads, attackers could potentially disable firmware security features, modify the boot process, install persistent firmware malware, or carry out other malicious actions with high levels of access.
Binarly says that malicious would be difficult to detect because they execute before the operating system starts.
Binarly says exploiting these vulnerabilities does not always require physical access. On systems such as BMCs that support remote firmware updates, an attacker who has already compromised the management interface could upload a specially crafted firmware image to exploit the flaws.
Binarly reported the vulnerabilities to the U-Boot maintainers and submitted patches for all six issues, which have since been accepted into the project’s upstream codebase.
However, because U-Boot is integrated into firmware by individual hardware manufacturers, the fixes must first be incorporated into vendors’ firmware updates before they can be distributed to customers.
Older or unsupported devices that no longer receive firmware updates may never be patched.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
EU sanctions Russian GRU military hackers over cyberattacks
Breach at the Beach: Play the Ultimate Entra ID CTF
The Replicant in Your Directory: AI Agents and the Identity Security Gap
Hidden backdoor in Tenda router firmware grants admin access
Microsoft expects more Windows security updates from AI-discovered flaws
Claude Fable 5 stays free for paid users until July 19 as Anthropic buys more time
Australia warns of global campaign targeting vulnerable CMS platforms
‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets
AI is a data-breach time bomb: Read the new report?utm_source=bleepingcomputer&utm_medium=referral&utm_campaign=bleepingcomputer_referral&utm_content=article
Overdue a password health-check? Audit your Active Directory for free
#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.
Your Scanners Are Green. Your Pipeline Might Not Be. Here’s How to Close the Gap.
How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.
Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure
Read our posting guidelinese to learn what content is prohibited.



