CVE-2019-13106

Summary

CVE	CVE-2019-13106
State	PUBLISHED
Assigner	mitre
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-08-06 20:15:12 UTC
Updated	2026-05-12 10:16:34 UTC
Description	Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution.

Risk And Classification

Primary CVSS: v3.1 7.8 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS: 0.009220000 probability, percentile 0.761210000 (date 2026-05-12)

Problem Types: CWE-787 | n/a

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
2.0	[email protected]	Primary	8.3		`AV:N/AC:M/Au:N/C:P/I:P/A:C`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Complete

AV:N/AC:M/Au:N/C:P/I:P/A:C

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Denx	U-boot	2019.07	-	All	All
Application	Denx	U-boot	2019.07	rc1	All	All
Application	Denx	U-boot	2019.07	rc2	All	All
Application	Denx	U-boot	2019.07	rc3	All	All
Application	Denx	U-boot	2019.07	rc4	All	All
Application	Denx	U-boot	All	All	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified
ADP	Siemens	RUGGEDCOM ROX MX5000	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX MX5000RE	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1400	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1500	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1501	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1510	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1511	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1512	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1524	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX1536	affected V2.17.1 custom	Not specified
ADP	Siemens	RUGGEDCOM ROX RX5000	affected V2.17.1 custom	Not specified

References

Reference	Source	Link	Tags
Commits · u-boot/u-boot · GitHub	af854a3a-2127-422b-91ae-364da2661108	github.com	Product
cert-portal.siemens.com/productcert/html/ssa-577017.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
[security-announce] openSUSE-SU-2019:2235-1: moderate: Security update f	af854a3a-2127-422b-91ae-364da2661108	lists.opensuse.org	Mailing List, Third Party Advisory
[security-announce] openSUSE-SU-2019:2233-1: moderate: Security update f	af854a3a-2127-422b-91ae-364da2661108	lists.opensuse.org	Mailing List, Third Party Advisory
Description of CVE-2019-13103 through CVE-2019-13106 · GitHub	af854a3a-2127-422b-91ae-364da2661108	gist.github.com	Third Party Advisory
[U-Boot] [PATCH 5/5] CVE-2019-13106: ext4: fix out-of-bounds memset	af854a3a-2127-422b-91ae-364da2661108	lists.denx.de	Mailing List, Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

671381 EulerOS Security Update for uboot-tools (EulerOS-SA-2022-1312)
671382 EulerOS Security Update for uboot-tools (EulerOS-SA-2022-1296)