Dear DENX Team, I hope this message finds you well.
I am writing to seek clarification regarding a recent CVE entry — **CVE-2025-45512** — which claims a security issue in U-Boot version v1.1.3, stating that it allows loading and executing arbitrary firmware images without verifying cryptographic signatures. As far as I understand, U-Boot (especially older versions like v1.1.3) does not perform any image signature verification by design unless specifically configured to do so with FIT signatures or integrated into a secure boot chain. Given this, I would like to ask: 1. Is CVE-2025-45512 (https://www.cve.org/CVERecord?id=CVE-2025-45512) an officially acknowledged vulnerability by DENX or the U-Boot project? 2. Do you consider the described behavior to be a vulnerability, or rather a default characteristic of early U-Boot versions? 3. Has this issue been addressed or mitigated in later U-Boot versions (e.g., with FIT signature and RSA verification support)? 4. Are there any recommended mitigations for users still using legacy versions like v1.1.3? Understanding your stance would greatly help clarify the scope and risk associated with this CVE. Thank you for your time and for your continued work on U-Boot. Best regards, rama tri nanda
