CVE-2019-13103

Summary

CVE	CVE-2019-13103
State	PUBLISHED
Assigner	mitre
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-07-29 15:15:12 UTC
Updated	2026-05-12 10:16:33 UTC
Description	A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS: 0.000530000 probability, percentile 0.166860000 (date 2026-05-12)

Problem Types: CWE-674 | n/a

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	7.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H`
2.0	[email protected]	Primary	3.6		`AV:L/AC:L/Au:N/C:N/I:P/A:P`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVSS v2.0 Breakdown

Access Vector

Local

Access Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

AV:L/AC:L/Au:N/C:N/I:P/A:P

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Denx	U-boot	All	All	All	All
Application	Denx	U-boot	2019.04	-	All	All
Application	Denx	U-boot	2019.04	rc1	All	All
Application	Denx	U-boot	2019.04	rc2	All	All
Application	Denx	U-boot	2019.04	rc3	All	All
Application	Denx	U-boot	2019.04	rc4	All	All
Application	Denx	U-boot	2019.07	rc1	All	All
Application	Denx	U-boot	2019.07	rc2	All	All
Application	Denx	U-boot	2019.07	rc3	All	All
Application	Denx	U-boot	2019.07	rc4	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified
ADP	Siemens	RUGGEDCOM ROX MX5000	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX MX5000RE	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1400	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1500	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1501	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1510	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1511	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1512	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1524	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1536	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX5000	affected V2.17.1 custom	Not specified

References

Reference	Source	Link	Tags
cert-portal.siemens.com/productcert/pdf/ssa-618620.pdf	af854a3a-2127-422b-91ae-364da2661108	cert-portal.siemens.com	Third Party Advisory
Commits · u-boot/u-boot · GitHub	af854a3a-2127-422b-91ae-364da2661108	github.com	Patch, Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-618620.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
[U-Boot] [PATCH 1/5] CVE-2019-13103: disk: stop infinite recursion in DOS Partitions	af854a3a-2127-422b-91ae-364da2661108	lists.denx.de	Patch, Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-577017.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
Description of CVE-2019-13103 through CVE-2019-13106 · GitHub	af854a3a-2127-422b-91ae-364da2661108	gist.github.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

671381 EulerOS Security Update for uboot-tools (EulerOS-SA-2022-1312)
671382 EulerOS Security Update for uboot-tools (EulerOS-SA-2022-1296)
750595 OpenSUSE Security Update for u-boot (openSUSE-SU-2020:1930-1)