Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-39902

A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus.

Published

2023-10-17T12:15:09.960

Last Modified

2024-11-21T08:16:00.530

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.0 (HIGH)

Weaknesses

Type: Primary
CWE-281

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	nxp	uboot_secondary_program_loader	< 2023.07	Yes
Hardware	nxp	i.mx_8m	-	No
Hardware	nxp	i.mx_8m_mini	-	No
Hardware	nxp	i.mx_8m_nano	-	No
Hardware	nxp	i.mx_8m_plus	-	No

References

https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 Mitigation, Patch, Vendor Advisory ([email protected])
https://nxp.com Product ([email protected])
https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 Mitigation, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://nxp.com Product (af854a3a-2127-422b-91ae-364da2661108)