{"id":"CVE-2022-2347","details":"There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.","modified":"2026-04-10T04:44:45.714996Z","published":"2022-09-23T13:15:10.133Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00001.html"},{"type":"EVIDENCE","url":"https://seclists.org/oss-sec/2022/q3/41"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/u-boot/u-boot","events":[{"introduced":"6528ff0109d81c1f21d20f9f1370782bccf87bcb"},{"last_affected":"e092e3250270a1016c877da7bdd9384f14b1321e"}],"database_specific":{"versions":[{"introduced":"2012.10"},{"last_affected":"2022.07"}]}}],"versions":["v2012.10","v2013.01","v2013.01-rc1","v2013.01-rc2","v2013.01-rc3","v2013.04","v2013.04-rc1","v2013.04-rc2","v2013.04-rc3","v2013.07","v2013.07-rc1","v2013.07-rc2","v2013.07-rc3","v2013.10","v2013.10-rc1","v2013.10-rc2","v2013.10-rc3","v2013.10-rc4","v2014.01-rc1","v2014.04","v2014.07","v2014.07-rc1","v2014.07-rc2","v2014.07-rc3","v2014.07-rc4","v2014.10","v2014.10-rc1","v2014.10-rc2","v2014.10-rc3","v2015.01","v2015.01-rc1","v2015.01-rc2","v2015.01-rc3","v2015.01-rc4","v2015.04","v2015.04-rc1","v2015.04-rc2","v2015.04-rc3","v2015.04-rc4","v2015.04-rc5","v2015.07","v2015.07-rc1","v2015.07-rc2","v2015.07-rc3","v2015.10","v2015.10-rc1","v2015.10-rc2","v2015.10-rc3","v2015.10-rc4","v2015.10-rc5","v2016.01","v2016.01-rc1","v2016.01-rc2","v2016.01-rc3","v2016.01-rc4","v2016.03","v2016.03-rc1","v2016.03-rc2","v2016.03-rc3","v2016.05","v2016.05-rc1","v2016.05-rc2","v2016.05-rc3","v2016.07","v2016.07-rc1","v2016.07-rc2","v2016.07-rc3","v2016.09","v2016.09-rc1","v2016.09-rc2","v2016.11","v2016.11-rc1","v2016.11-rc2","v2016.11-rc3","v2017.01","v2017.01-rc1","v2017.01-rc2","v2017.01-rc3","v2017.03","v2017.03-rc1","v2017.03-rc2","v2017.03-rc3","v2017.05","v2017.05-rc1","v2017.05-rc2","v2017.05-rc3","v2017.07","v2017.07-rc1","v2017.07-rc2","v2017.07-rc3","v2017.09","v2017.09-rc1","v2017.09-rc2","v2017.09-rc3","v2017.09-rc4","v2017.11","v2017.11-rc1","v2017.11-rc2","v2017.11-rc3","v2017.11-rc4","v2018.01","v2018.01-rc1","v2018.01-rc2","v2018.01-rc3","v2018.03","v2018.03-rc1","v2018.03-rc2","v2018.03-rc3","v2018.03-rc4","v2018.05","v2018.05-rc1","v2018.05-rc2","v2018.05-rc3","v2018.07","v2018.07-rc1","v2018.07-rc2","v2018.07-rc3","v2018.09","v2018.09-rc1","v2018.09-rc2","v2018.09-rc3","v2018.11","v2018.11-rc1","v2018.11-rc2","v2018.11-rc3","v2019.01","v2019.01-rc1","v2019.01-rc2","v2019.01-rc3","v2019.04","v2019.04-rc1","v2019.04-rc2","v2019.04-rc3","v2019.04-rc4","v2019.07","v2019.07-rc1","v2019.07-rc2","v2019.07-rc3","v2019.07-rc4","v2019.10","v2019.10-rc1","v2019.10-rc2","v2019.10-rc3","v2019.10-rc4","v2020.01","v2020.01-rc1","v2020.01-rc2","v2020.01-rc3","v2020.01-rc4","v2020.01-rc5","v2020.04","v2020.04-rc1","v2020.04-rc2","v2020.04-rc3","v2020.04-rc4","v2020.04-rc5","v2020.07","v2020.07-rc1","v2020.07-rc2","v2020.07-rc3","v2020.07-rc4","v2020.07-rc5","v2020.10","v2020.10-rc1","v2020.10-rc2","v2020.10-rc3","v2020.10-rc4","v2020.10-rc5","v2021.01","v2021.01-rc1","v2021.01-rc2","v2021.01-rc3","v2021.01-rc4","v2021.01-rc5","v2021.04","v2021.04-rc1","v2021.04-rc2","v2021.04-rc3","v2021.04-rc4","v2021.04-rc5","v2021.07","v2021.07-rc1","v2021.07-rc2","v2021.07-rc3","v2021.07-rc4","v2021.07-rc5","v2021.10","v2021.10-rc1","v2021.10-rc2","v2021.10-rc3","v2021.10-rc4","v2021.10-rc5","v2022.01","v2022.01-rc1","v2022.01-rc2","v2022.01-rc3","v2022.01-rc4","v2022.04","v2022.04-rc1","v2022.04-rc2","v2022.04-rc3","v2022.04-rc4","v2022.04-rc5","v2022.07","v2022.07-rc1","v2022.07-rc2","v2022.07-rc3","v2022.07-rc4","v2022.07-rc5","v2022.07-rc6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2347.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}