Cyber Posture

CVE-2024-57255

High

Published: 18 February 2025

Published
18 February 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0006 19.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57255 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Denx U-Boot. Its CVSS base score is 7.1 (High).

Operationally, ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely remediation through patching U-Boot to version 2025.01-rc1 or later, eliminating the integer overflow in sqfs_resolve_symlink.

SI-10 Information Input Validation good match
prevent

Prevents the integer overflow by enforcing validation of SquashFS inode sizes to ensure they are within expected ranges before allocation.

SI-16 Memory Protection good match
prevent

Mitigates memory overwrite exploitation resulting from the zero-byte malloc by implementing address space layout randomization, stack canaries, and other memory protections in the bootloader.

NVD Description

An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite.

Deeper analysisAI

CVE-2024-57255 is an integer overflow vulnerability (CWE-190) in the sqfs_resolve_symlink function of Das U-Boot versions prior to 2025.01-rc1. The issue arises when processing a crafted SquashFS filesystem with an inode size of 0xffffffff, which triggers an integer overflow, resulting in a malloc allocation of zero bytes and a subsequent memory overwrite.

Exploitation requires physical access to the device (AV:P) and high attack complexity (AC:H), with no privileges (PR:N) or user interaction (UI:N) required. A successful attack can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with a changed scope (S:C), yielding a CVSS v3.1 base score of 7.1.

The vulnerability was patched in a commit to the U-Boot repository (https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356). It was publicly disclosed on the oss-security mailing list (https://www.openwall.com/lists/oss-security/2025/02/17/2) and addressed in Debian LTS announcements (https://lists.debian.org/debian-lts-announce/2025/05/msg00001.html), recommending upgrades to U-Boot 2025.01-rc1 or later.

Details

CWE(s)
CWE-190

Affected Products

denx
u-boot
≤ 2024.10

CVEs Like This One

CVE-2024-57258Same product: Denx U-Boot
CVE-2024-57254Same product: Denx U-Boot
CVE-2024-57256Same product: Denx U-Boot
CVE-2024-57259Same product: Denx U-Boot
CVE-2026-33243Same product: Denx U-Boot
CVE-2026-41602Shared CWE-190
CVE-2025-24156Shared CWE-190
CVE-2026-27889Shared CWE-190
CVE-2025-53518Shared CWE-190
CVE-2026-41416Shared CWE-190

References