SB2025122301 - Arbitrary code execution in Denx Universal Boot Loader (U-Boot)
Published: December 23, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control for volatile memory containing boot code (CVE-ID: CVE-2025-24857)
CWE-ID: CWE-1274 - Improper Access Control for Volatile Memory Containing Boot Code
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker to compromise the affected system.
The vulnerability exists due to an improper access control in the bootloader. An attacker with physical proximity to the system can execute arbitrary code.
The vulnerability affects systems on Qualcomm chips: IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574.
Remediation
Install update from vendor's website.