Cyber Posture

CVE-2024-57259

High

Published: 18 February 2025

Published
18 February 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0007 20.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57259 is a high-severity Off-by-one Error (CWE-193) vulnerability in Denx U-Boot. Its CVSS base score is 7.1 (High).

Operationally, ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-3 (Physical Access Control) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires identification, reporting, and timely remediation of the off-by-one heap corruption flaw in U-Boot's sqfs_search_dir via patching to 2025.01-rc1 or later.

SI-16 Memory Protection partial match
prevent

Implements memory protections to mitigate exploitation of heap memory corruption resulting from the path separator off-by-one error.

PE-3 Physical Access Control good match
prevent

Enforces physical access controls to block the physical proximity (AV:P) required to trigger the squashfs directory listing vulnerability.

NVD Description

sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.

Deeper analysisAI

CVE-2024-57259 affects Das U-Boot versions before 2025.01-rc1, specifically in the sqfs_search_dir function used for squashfs directory listing. The vulnerability stems from an off-by-one error (CWE-193) where the path separator is not considered in a size calculation, resulting in heap memory corruption. Published on 2025-02-18, it carries a CVSS v3.1 base score of 7.1 (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires physical proximity to the target device and a high-complexity attack, but no privileges or user interaction. A successful attack can achieve high impacts across confidentiality, integrity, and availability, with a changed scope due to the memory corruption.

Mitigation is available via a patch commit in the U-Boot repository (048d795bb5b3d9c5701b4855f5e74bcf6849bf5e), which users should apply by updating to 2025.01-rc1 or later. Additional details appear in announcements on the oss-security mailing list and Debian LTS, emphasizing the need for upgrades in affected embedded systems.

Details

CWE(s)
CWE-193

Affected Products

denx
u-boot
≤ 2024.10

CVEs Like This One

CVE-2024-57255Same product: Denx U-Boot
CVE-2024-57254Same product: Denx U-Boot
CVE-2024-57258Same product: Denx U-Boot
CVE-2024-57256Same product: Denx U-Boot
CVE-2026-33243Same product: Denx U-Boot
CVE-2024-57990Shared CWE-193
CVE-2026-44603Shared CWE-193
CVE-2026-4887Shared CWE-193
CVE-2026-33997Shared CWE-193
CVE-2026-34085Shared CWE-193

References