Cyber Posture

CVE-2024-57258

High

Published: 18 February 2025

Published
18 February 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0005 16.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57258 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Denx U-Boot. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Bootkit (T1542.003); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Bootkit (T1542.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely application of U-Boot patches from specified commits directly remediates the integer overflow in memory allocation during SquashFS processing.

SI-16 Memory Protection partial match
prevent

Memory protection mechanisms such as non-executable regions or address randomization mitigate exploitation of the integer overflow in sbrk, request2size, and ptrdiff_t handling.

SI-10 Information Input Validation partial match
prevent

Validation of SquashFS filesystem inputs prior to processing in U-Boot prevents crafted filesystems from triggering the integer overflows.

MITRE ATT&CK Enterprise TechniquesAI

T1542.003 Bootkit Stealth
Adversaries may use bootkits to persist on systems.
attack.mitre.org →
Why these techniques?

Integer overflow in U-Boot bootloader enables memory corruption during SquashFS processing; with physical access this directly facilitates bootkit-style compromise before OS initialization (T1542.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64.

Deeper analysisAI

CVE-2024-57258 is an integer overflow vulnerability (CWE-190) affecting memory allocation in Das U-Boot versions before 2025.01-rc1. The flaw occurs when processing a crafted SquashFS filesystem, triggering overflows via the sbrk function, the request2size function, or mishandling of ptrdiff_t on x86_64 architectures.

Exploitation requires physical access to the target device (AV:P) and high attack complexity (AC:H), with no privileges (PR:N) or user interaction (UI:N) required. A successful attack can achieve high impacts on confidentiality, integrity, and availability (C:I:A:H/H/H) with a changed scope (S:C), resulting in a CVSS v3.1 base score of 7.1.

Mitigation patches are provided in U-Boot repository commits 0a10b49206a29b4aa2f80233a3e53ca0466bb0b3, 8642b2178d2c4002c99a0b69a845a48f2ae2706f, and c17b2a05dd50a3ba437e6373093a0d6a359cdee0. Advisories on oss-security (2025/02/17) and Debian LTS announce (2025/05/msg00001.html) detail the issue and recommend upgrading to U-Boot 2025.01-rc1 or applying the fixes.

Details

CWE(s)
CWE-190

Affected Products

denx
u-boot
≤ 2024.10

CVEs Like This One

CVE-2024-57255Same product: Denx U-Boot
CVE-2024-57254Same product: Denx U-Boot
CVE-2024-57256Same product: Denx U-Boot
CVE-2024-57259Same product: Denx U-Boot
CVE-2026-33243Same product: Denx U-Boot
CVE-2025-0678Shared CWE-190
CVE-2026-41602Shared CWE-190
CVE-2025-24156Shared CWE-190
CVE-2026-27889Shared CWE-190
CVE-2025-53518Shared CWE-190

References