Unchecked Download size in Uboot
Summary
| CVE | CVE-2022-2347 |
|---|---|
| State | PUBLISHED |
| Assigner | |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-09-23 13:15:10 UTC |
| Updated | 2026-05-12 10:16:37 UTC |
| Description | There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer. |
Risk And Classification
Primary CVSS: v3.1 7.1 HIGH from [email protected]
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 0.000380000 probability, percentile 0.113400000 (date 2026-05-12)
Problem Types: CWE-122 | CWE-787 | CWE-122 CWE-122 Heap-based Buffer Overflow
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.1 | HIGH | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.7 | HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.7 | HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
PhysicalAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Uboot | Uboot | affected unspecified 2022.07 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX MX5000 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX MX5000RE | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1400 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1500 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1501 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1510 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1511 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1512 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1524 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX1536 | affected V2.17.1 custom | Not specified |
| ADP | Siemens | RUGGEDCOM ROX RX5000 | affected V2.17.1 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.debian.org/debian-lts-announce/2025/05/msg00001.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| oss-sec: Fwd: CVE-2022-2347 - Unchecked Download Size and Direction in U-Boot USB DFU | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | Exploit, Mailing List, Third Party Advisory |
| cert-portal.siemens.com/productcert/html/ssa-577017.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.