CVE-2023-39902

Published: Oct 17, 2023Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus.

Affected (1)

Products: Nxp: Uboot Secondary Program Loader

1 product

Uboot Secondary Program Loader

Configuration A

1 vulnerable · 4 platform

Vulnerable Software	Affected Versions
Nxp Uboot Secondary Program Loader	Before 2023.07

Running on/with	Platform Versions
Nxp I.mx 8m	All versions
Nxp I.mx 8m Mini	All versions
Nxp I.mx 8m Nano	All versions
Nxp I.mx 8m Plus	All versions

Related CWEs

Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References (4)

https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196

Source: cve@mitre.org

MitigationPatchVendor Advisory

https://nxp.com

Source: cve@mitre.org

Product

https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationPatchVendor Advisory

https://nxp.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.