Researchers have uncovered six U-Boot vulnerabilities that could allow attackers to execute malicious code during the earliest stages of a device’s startup. The flaws affect the widely used open-source bootloader and could enable persistent firmware attacks before the operating system or security software begins running.
Two of the vulnerabilities could lead to arbitrary code execution, while the remaining four can be exploited to crash vulnerable devices.
Security Flaws Target the Boot Process
U-Boot is one of the world’s most widely deployed open-source bootloaders. It is used in embedded Linux devices, including Baseboard Management Controllers (BMCs), networking hardware, industrial systems, IoT devices, and enterprise appliances.
Because U-Boot loads the operating system, attackers who compromise it can gain control before the operating system starts. This allows them to bypass many security protections that normally activate later in the boot process.
One important safeguard is Verified Boot. This feature checks cryptographic signatures to ensure that only trusted firmware and operating system images are loaded.
Six Vulnerabilities Discovered
Firmware security researchers identified six flaws in U-Boot’s Flattened Image Tree (FIT) signature verification code.
According to the researchers, two vulnerabilities could allow arbitrary code execution during firmware verification. The remaining four can trigger crashes by processing specially crafted firmware images.
The disclosed vulnerabilities include:
- BRLY-2026-037: Crash vulnerability that may allow arbitrary code execution under certain conditions.
- BRLY-2026-038: Memory corruption flaw that could lead to arbitrary code execution.
- BRLY-2026-039: Out-of-bounds read that can crash vulnerable devices.
- BRLY-2026-040: Null pointer dereference causing the bootloader to crash.
- BRLY-2026-041: Improper validation of external firmware data that can trigger crashes.
- BRLY-2026-042: Unbounded recursion that exhausts stack memory and crashes the bootloader.
Vulnerable Code Has Existed for Years
The researchers say most of the affected code has been present since U-Boot version 2013.07.
As a result, the U-Boot vulnerabilities could affect more than 50 stable releases of the project. The impact also extends to hardware manufacturers that incorporated the vulnerable code into their own firmware.
Many downstream vendor versions may therefore remain exposed until manufacturers release updated firmware.
Firmware Attacks Could Be Difficult to Detect
If attackers exploit the code execution flaws, they could run malicious code before the operating system loads.
This early access could allow them to disable firmware security features, alter the boot process, or install persistent firmware malware that survives operating system reinstalls.
Because the malicious code executes before the operating system starts, detecting these attacks can be significantly more difficult than identifying traditional malware.
Remote Systems May Also Be at Risk
The researchers note that exploiting the U-Boot vulnerabilities does not always require physical access.
Devices such as Baseboard Management Controllers that support remote firmware updates could be attacked if a threat actor first compromises the management interface. The attacker could then upload a specially crafted firmware image designed to trigger the vulnerabilities.
The researchers reported all six flaws to the U-Boot maintainers and submitted patches that have already been accepted into the main project.
However, hardware vendors must now integrate those fixes into their own firmware before customers receive updates. Older or unsupported devices that no longer receive firmware updates may remain permanently vulnerable.


0 responses to “U-Boot Vulnerabilities Could Enable Stealthy Firmware Attacks Before Startup”