Hello U-Boot mailing list, I’m a vulnerability analyst at VulnCheck <https://www.vulncheck.com>, an exploit intelligence company and research CVE Numbering Authority (CNA), where I'm one of several folks who manage our coordinated vulnerability disclosure (CVD) program.
An external security researcher recently reported several vulnerabilities <https://www.vulncheck.com/advisories/report> impacting the U-Boot codebase (discovered against release v2026.04-rc3), and VulnCheck is acting as the intermediary and coordinator. VulnCheck follows a 120-day disclosure policy <https://www.vulncheck.com/vulnerability-disclosure-policy>, meaning we afford vendors/maintainers up to 120 days from the time of receiving the report to address the issues before publication of CVE records and third-party advisories. For these vulnerabilities, that 120-day deadline falls on *September 5, 2026*. We have provisionally allocated the following CVE IDs, which have been shared with the researcher but will remain private until public disclosure: - *CVE-2026-29007* - Out-of-Bounds Read in TCP Options Parser - *CVE-2026-29008* - Integer Underflow in TCP Payload Length - *CVE-2026-29009* - Buffer Overflow via NFS Symlink Chain Please be aware that none of this information is public at this moment and all parties involved are considered under embargo. The researcher has provided us with a comprehensive technical report including reproduction steps. Once an appropriate point of contact is identified, we'd be happy to share those materials with your team. If interested in VulnCheck's previous disclosures, you may find those here <https://www.vulncheck.com/advisories>. Let us know if you have any questions for us about the CVD process or for the researcher regarding the reported vulnerabilities. Respectfully, <https://www.vulncheck.com/> Wade Sparks III VulnCheck Senior Vulnerability Analyst
