Home News Critical U-Boot Flaws Could Let Hackers Install Stealthy Firmware Malware
NewsSecurity

Critical U-Boot Flaws Could Let Hackers Install Stealthy Firmware Malware

4

New U-Boot Bootloader Flaws Could Enable Stealthy Firmware-Level Attacks

Security researchers have discovered six vulnerabilities in U-Boot, one of the world’s most widely used open-source bootloaders, that could allow attackers to execute malicious code before a device’s operating system starts.

The flaws affect U-Boot’s FIT (Flattened Image Tree) signature verification process, which is responsible for checking whether firmware images are trusted before they are loaded. Because the bootloader operates at the earliest stage of the startup process, successful exploitation could allow attackers to bypass security protections and install persistent malware that is difficult to detect.

U-Boot is widely used in embedded Linux devices, including enterprise servers, Baseboard Management Controllers (BMCs), networking equipment, industrial systems, IoT devices, and other hardware platforms.

Vulnerabilities Could Allow Code Execution Before OS Startup

Firmware security company Binarly discovered the six vulnerabilities while analyzing U-Boot’s firmware verification mechanisms.

Researchers found that two of the flaws could potentially allow arbitrary code execution during firmware verification, while four others could be used to crash affected devices through denial-of-service attacks.

The vulnerabilities include:

  • BRLY-2026-037: A flaw that can crash U-Boot when processing malicious firmware images and may allow code execution in certain situations.
  • BRLY-2026-038: A memory corruption issue that could enable attackers to execute arbitrary code during signature verification.
  • BRLY-2026-039: An out-of-bounds read vulnerability that can cause device crashes.
  • BRLY-2026-040: A null pointer dereference flaw that allows specially crafted firmware images to disrupt the boot process.
  • BRLY-2026-041: Improper validation of external firmware data that can lead to crashes.
  • BRLY-2026-042: An unbounded recursion vulnerability that can exhaust memory resources and crash the bootloader.

Long-Standing Code Puts Many Devices at Risk

Researchers said much of the vulnerable code has existed since U-Boot version 2013.07, meaning the flaws could affect more than 50 versions of the project.

Because many hardware manufacturers use customized versions of U-Boot in their own firmware, the impact could extend to a large number of devices across multiple industries.

If exploited successfully, attackers could modify the boot process, disable firmware security mechanisms, install persistent firmware-level malware, and maintain deep control over compromised systems.

Remote Exploitation Possible on Some Devices

Although firmware attacks are often associated with physical access, Binarly warned that remote exploitation may be possible on devices that support remote firmware updates.

For example, if attackers compromise a device management interface such as a BMC, they could upload a specially crafted firmware image and exploit the vulnerabilities during the verification process.

Because attacks occur before the operating system loads, traditional security tools may struggle to detect malicious activity.

Fixes Released, But Vendor Updates Needed

Binarly reported the vulnerabilities to U-Boot developers and provided patches for all six issues. The fixes have been accepted into the official U-Boot codebase.

However, device manufacturers must integrate these patches into their own firmware releases before customers receive protection. Older devices that no longer receive firmware updates may remain permanently vulnerable.

Organizations using affected hardware are advised to monitor vendor security updates and apply firmware patches as soon as they become available.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

NewsSecurity

Telegram’s t.me Domain Goes Offline Worldwide After Registry Imposes ServerHold

Telegram’s t.me Links Go Offline After Domain Registry Places Hold on Address...

NewsSecurity

Exposed Hacker Server Reveals Massive Campaign Compromising 25,000 WordPress Websites

Exposed Server Reveals 25,000 Hacked WordPress Websites in Large Cybercrime Campaign A...

NewsSecurity

Hidden Tenda Router Backdoor Gives Hackers Full Administrator Access

Hidden Backdoor in Tenda Router Firmware Allows Attackers to Gain Admin Access...

NewsSecurity

US Offers $10 Million Bounty as Russian Hackers Target Signal and WhatsApp Accounts

US Offers $10 Million Reward for Information on Russian-Linked Hackers Targeting Messaging...