Researchers at firmware security company Binarly have disclosed six vulnerabilities in U-Boot, one of the world’s most widely deployed open-source bootloaders, that could let attackers run malicious code during device startup, before the operating system or any of its security tools have a chance to load.
U-Boot underpins a huge swath of embedded Linux infrastructure, including Baseboard Management Controllers (BMCs) in enterprise servers, networking gear, industrial control systems, and IoT devices. Because the bootloader is responsible for loading the OS, flaws in its code sit beneath every other security layer on the device.
Binarly’s research focused on U-Boot’s FIT (Flattened Image Tree) signature verification code, the mechanism behind Verified Boot, which uses cryptographic signatures to confirm that only trusted firmware images are allowed to run. Two of the six bugs can lead to arbitrary code execution during verification of an untrusted image; the other four can crash a vulnerable device.
The six vulnerabilities
- BRLY-2026-037: Can crash U-Boot when processing a malicious firmware image and, under certain conditions, enables arbitrary code execution.
- BRLY-2026-038: A memory corruption bug that can allow arbitrary code execution during signature verification.
- BRLY-2026-039: An out-of-bounds read that crashes devices by forcing U-Boot to read past the firmware image.
- BRLY-2026-040: A null pointer dereference triggered by a specially crafted image.
- BRLY-2026-041: Improper validation of externally stored firmware data that causes crashes.
- BRLY-2026-042: An unbounded recursion flaw that exhausts stack memory and crashes the bootloader.
Binarly says most of the affected code has existed since U-Boot version 2013.07, meaning the flaws potentially touch more than 50 stable releases of the project, along with the many downstream vendor forks built on that codebase.
Because exploitation happens before the OS starts, successful attacks could disable firmware security protections, tamper with the boot process, or plant persistent firmware-level malware that is extremely difficult to detect with conventional endpoint tools. Binarly notes that physical access isn’t always required: on systems like BMCs that support remote firmware updates, an attacker who has already compromised the management interface could simply upload a malicious firmware image to trigger the flaws.
Binarly reported the issues to U-Boot maintainers and submitted patches for all six, which have been merged upstream. However, since U-Boot is embedded into vendor-specific firmware, device manufacturers must integrate the fixes into their own updates before customers receive them. Older or unsupported hardware that no longer gets firmware updates may never be patched.
