Security researchers at Binarly have uncovered six critical vulnerabilities in U-Boot, a widely used bootloader responsible for initializing hardware in devices ranging from home routers to data-center server management chips. These flaws expose devices to potential crashes and, more alarmingly, to code execution before the operating system loads, which could lead to persistent firmware compromise. Four of these bugs can cause a device to crash, while the remaining two allow attackers to execute code by exploiting a malicious image prior to signature verification.

The vulnerabilities were found in the digital signature verification process of U-Boot's Flattened Image Tree, which packages essential boot components like the kernel and device tree. Most of the affected code has been present since U-Boot version 2013.07, making its way into over 50 stable releases and various vendor firmware. Although no CVE identifiers have been assigned yet, the issues are tracked as Binarly advisories BRLY-2026-037 through BRLY-2026-042.

The two most severe flaws, BRLY-2026-037 and BRLY-2026-038, stem from unchecked values in U-Boot's device-tree parsing library, which could lead to memory corruption if exploited. The other four, BRLY-2026-039 through BRLY-2026-042, primarily result in device crashes due to improper handling of image sizes and offsets.

To date, there have been no reported instances of these vulnerabilities being exploited in real-world attacks. However, the potential for remote exploitation exists, particularly if an attacker gains access to the device's update process. With no official patch yet released, vendors relying on U-Boot must urgently integrate upstream fixes to mitigate these risks. Customers will need to await firmware updates from their device manufacturers to ensure their systems remain secure.