Cyber Resilience

CVE-2024-57256

HighUpdated

Published: 18 February 2025

Published
18 February 2025
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0006 19.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57256 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Denx U-Boot. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Pre-OS Boot (T1542); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57256 is an integer overflow vulnerability (CWE-190) in the ext4fs_read_symlink function within Das U-Boot versions prior to 2025.01-rc1. The issue arises when processing a crafted ext4 filesystem featuring an inode size of 0xffffffff, which causes an overflow during a zalloc operation that adds one to an le32 variable. This results in a malloc allocation of zero bytes, enabling a subsequent memory overwrite.

Exploitation requires physical access to the target device (AV:P) and involves high attack complexity (AC:H), with no privileges (PR:N) or user interaction (UI:N) needed. The attack has a changed scope (S:C) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), scoring 7.1 under CVSS 3.1. A successful exploit could allow an attacker to overwrite memory, potentially leading to arbitrary code execution or system compromise on affected U-Boot bootloaders.

Mitigation is addressed in a commit (35f75d2a46e5859138c83a75cd2f4141c5479ab9) in the U-Boot repository, which users should apply by updating to Das U-Boot 2025.01-rc1 or later. Announcements on oss-security (2025/02/17) detail the vulnerability disclosure, while Debian LTS tracking (2025/05) indicates backported fixes for affected distributions. Security practitioners should verify bootloader versions in embedded or boot environments and test crafted filesystem inputs during validation.

EU & UK References

Vulnerability details

An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1542 Pre-OS Boot Stealth
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Integer overflow in U-Boot ext4 parsing enables memory overwrite/ACE at boot time via crafted FS image (physical access), directly mapping to pre-OS boot compromise and privilege escalation via exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-57255Same product: Denx U-Boot
CVE-2024-57258Same product: Denx U-Boot
CVE-2024-57254Same product: Denx U-Boot
CVE-2024-57259Same product: Denx U-Boot
CVE-2026-33243Same product: Denx U-Boot
CVE-2025-0587Shared CWE-190
CVE-2025-24156Shared CWE-190
CVE-2025-33219Shared CWE-190
CVE-2025-47363Shared CWE-190
CVE-2024-34733Shared CWE-190

Affected Assets

denx
u-boot
≤ 2024.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the integer overflow in U-Boot's ext4fs_read_symlink function to prevent exploitation via crafted ext4 filesystems.

prevent

Mandates validation of filesystem inputs such as inode sizes to block integer overflows during zalloc operations in bootloader parsing.

prevent

Implements memory protections that mitigate overwrites from zero-byte malloc allocations triggered by the integer overflow.

References