U-Boot squashfs filesystem implementation vulnerable to heap-based buffer overflow


U-Boot is a boot loader for multiple platforms, and squashfs filesystem feature is provided since v2020.10-rc2 (commit c5100613). squashfs filesystem implementation of U-Boot contains a heap-based buffer overflow vulnerability (CWE-122) due to a defect in the metadata reading process.

Tatsuhiko Yasumatsu of Sony Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated between the reporter and the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.6 (Medium) [Other]
  • Attack Vector: physics
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

DENX Software Engineering
  • U-Boot from v2020.10-rc2 to v2022.07-rc5


Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or an arbitrary code being executed.

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer has included the fix in U-Boot v2022.07-rc6.
Vendor Information

DENX Software Engineering
CWE (What is CWE?)

  1. Heap-based Buffer Overflow(CWE-122) [Other]
CVE (What is CVE?)

  1. CVE-2022-33967

  1. JVN : JVNVU#97846460
Revision History

  • [2022/07/14]
      Web page was published
  • [2022/07/25]
      Overview was modified
      Affected Products : Product version was modified
      Solution was modified