Hi folks, We recently had a patch sent to Yocto Project to backport a fix for CVE-2025-24857 to our Scarthgap branch which uses U-Boot 2024.01. Looking at the CVE info, this has confused me a lot. It says [1]:
Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code. The NVD page says it affects U-Boot "Up to (excluding) 2017.11". But, the patch that says it addresses CVE-2025-24867 was committed to U-Boot in December 2025 [2]. The first release containing this patch was v2026.01. Is this commit actually needed to resolve that CVE? Or is it some other change back in 2017 that fixed the issue? (A yes/no is fine, I don't need a link to the exact commit) [1]: https://nvd.nist.gov/vuln/detail/CVE-2025-24857 [2]: https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2 Best regards, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
