- Package:
- src:u-boot
- Source:
- src:u-boot
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-24 21:05:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for u-boot. CVE-2026-46728[0]: | Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature | verification bypass because hashed-nodes is omitted from a hash. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-46728 https://www.cve.org/CVERecord?id=CVE-2026-46728 [1] https://github.com/u-boot/u-boot/commit/2092322b31cc8b1f8c9e2e238d1043ae0637b241 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of u-boot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1136954@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Henriksson <andreas@fatal.se> (supplier of updated u-boot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Mon, 08 Jun 2026 14:48:23 +0200 Source: u-boot Architecture: source Version: 2025.01-3.2 Distribution: unstable Urgency: high Maintainer: Vagrant Cascadian <vagrant@debian.org> Changed-By: Andreas Henriksson <andreas@fatal.se> Closes: 1081557 1136954 Changes: u-boot (2025.01-3.2) unstable; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2024-42040 (Closes: #1081557) * CVE-2026-46728 (Closes: #1136954) Checksums-Sha1: f5e38e2496ab543f8365aced5725cc6a92922812 4232 u-boot_2025.01-3.2.dsc a139fcc9dc71549e98299dafec04a021bfe12f82 174928 u-boot_2025.01-3.2.debian.tar.xz 9cdf07cc5e07ed0c136ef17d3cd3646e23d063e8 8244 u-boot_2025.01-3.2_source.buildinfo Checksums-Sha256: 91616d12ffa8dfcd098f98b5397ea08b9be30f79e9473d18684f1137fb141456 4232 u-boot_2025.01-3.2.dsc de97388eddd65475e8904633ffd8997650736423d5926464b2660a1d6f7ab193 174928 u-boot_2025.01-3.2.debian.tar.xz cdfd5f4f7ca22076d8f85b5c7a1b834c8748e5848c696396249183cbb5f2ef1a 8244 u-boot_2025.01-3.2_source.buildinfo Files: 957bc3e7039134cbde3c6197f1212052 4232 admin optional u-boot_2025.01-3.2.dsc 8a7e024cce2226bcf607a2e778a283fb 174928 admin optional u-boot_2025.01-3.2.debian.tar.xz e7e6255d7241f096f4b948d1bf09165f 8244 admin optional u-boot_2025.01-3.2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmovykwACgkQC8R9xk0T UwbnOBAApfVGFmqxZIJng4RctVCO2gLJd8fmLreopRRNPs0CObFRw+gvuCon+/8h uxrzxUMg0Vf/OsUM1SZg43ESyp2/Mq62p0+ztWeq+YP9Qd5rhCSmOscAt9+DKr/A Y5mxmOLEAjc88lU37m73bu7J/5vNE2uiHidHfn8b2eTUR3rEuFYOL36i3AkSdi2L 6/Ang3Du1lwA6KPtafTwX/KNzRc2whCRgEY/q/AMI98rssEh6bXlvF0GTtedTix9 3YEIMu5DOsE694Rw/ZYs3OHK89C7o1JRbGqaG3f1DZ7eh90Yt7kKpIqS6NXmo5KH 5jJBi6PTI2/vG86tQtp8I1L7dyJHwoim/54vmoYJsoMQzcFZXDpoQQh+wqidTn6/ BLEw8+Ltj9Fs5MSlQORokJ8UeoSyTDsagbmSvJXKuPD4mx21m1x/iV2/DXAVA8L5 rhQs6ps74v/9vmq9S15dtcPCb72PwqtvQ2o2Xll1JLumr7KIPy4BdNd7olyrQCk2 OPDEYBvcktFoiaJNiQNqv77SJEF4FT3GGqOfSm56uNe5ylHRFfLVWDgEwjCqWiyK EFzwsfWoljItTtRA6ASAjcoUx7GjkXXZlgQ74J6iVPtDiYX/ZEwG38MsFMFavVQc RLZN33Bk/YQPpftLydaYGqJhUcsQIFcJSmDj19cRWTLm++MC6e0= =QHdy -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
u-boot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated u-boot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 22 Jun 2026 10:38:07 +0200
Source: u-boot
Architecture: source
Version: 2023.01+dfsg-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: Vagrant Cascadian <vagrant@debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Closes: 1056750 1081557 1136954
Changes:
u-boot (2023.01+dfsg-2+deb12u3) bookworm-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* CVE-2024-42040: buffer overread vulnerability in the DHCP implementation.
(Closes: #1081557)
* CVE-2026-46728: mishandles use of unit addresses in a FIT.
(Closes: #1136954)
* Remove avr32 arch support removed in dpkg 1.22.0 (Closes: #1056750)
- now also leads to dak rejecting uploads even for older suites
Checksums-Sha1:
86f30ba3dd9cb837c677cd4f6a473b462c0fd6f2 3612 u-boot_2023.01+dfsg-2+deb12u3.dsc
f4b94556f10cf7ff07807c3b1390ee190ca8028c 15684556 u-boot_2023.01+dfsg.orig.tar.xz
46e9c22cf21e67c042807c11c3db08ff8628782b 61072 u-boot_2023.01+dfsg-2+deb12u3.debian.tar.xz
fef7f8a2e5030b90e48a841738c480e485f3bdc1 7580 u-boot_2023.01+dfsg-2+deb12u3_source.buildinfo
Checksums-Sha256:
baf9a1492456920ff66b00fdd19ce8c588261bc2698b4875c9f5fdcfb1332aae 3612 u-boot_2023.01+dfsg-2+deb12u3.dsc
e75da6f089d063aaef39a1c17f1631791d87700662624e18de2121fa39a1ed44 15684556 u-boot_2023.01+dfsg.orig.tar.xz
f9d96a5095d542d8732eccdabcd1d1e7eaaa832311ce395f78b8ead1fad9845e 61072 u-boot_2023.01+dfsg-2+deb12u3.debian.tar.xz
a2501d09017515b954db6ef97fa759f9f4c92427d95a681bcaee76008faa7f27 7580 u-boot_2023.01+dfsg-2+deb12u3_source.buildinfo
Files:
0140c302cae98ef622e0796884b3cfa5 3612 admin optional u-boot_2023.01+dfsg-2+deb12u3.dsc
745c3ae196dd1c8b0128b600cd919741 15684556 admin optional u-boot_2023.01+dfsg.orig.tar.xz
afb13f36a0329f555f342ef1dd413c3c 61072 admin optional u-boot_2023.01+dfsg-2+deb12u3.debian.tar.xz
0653b9c80ab2a65b84aa1342cab8c226 7580 admin optional u-boot_2023.01+dfsg-2+deb12u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmo49ZwACgkQC8R9xk0T
UwZSyw//VBb84ikd3+gJ9/AbET7NrNRG98BlbN5jWKPS8JSpuI6DfZ+WPVOSfHbF
qSoMOXY3QiZ9Xb/omFjipmmegpAJ+MZ1/vqT+AEflULU8KfiwMAyvr/7evnZ9mdv
3x6DfDWZ4emc+irBNdJZOVRQKHEfxSSVOxBYghptoMjFjQmI8asEZhIQoTVqshpn
fqsu7AAfD0r5u9cyj8GcP13qH8Lzb5SO2KxRcXZ29n9KqGN+oNBwj4xM3++TA/M8
g628TOV6b6h/fLbSH+HYnCKpChZ/2jaWYbaCbrAHS6beHl52JDiSoHwky7ar7+z1
DHGXGvAYWXREtIeImUj9RhTzLS9csmAGIGsBibFJ27GK2++w0dgbf2vsswN2cyrh
ybrSnC4nGunX9ZHs7109KIH3NlIFbOeMEvdO7jd+bvqMOczDwBnFGNwQZ0KuTfUb
7oDZZ2Y9n6n1zJsnwJliUAu8OydkfDIFiW1CrdCOJqdnrSS14a1+qvkYVDBwc9oq
QsszyuJppXhh9UfCrmxWbCL8PfC6VEABmgOfVX8jAkkjt0ZyOQPIaYGzfwTx7KFt
bQsbTdaoD78xBUnmbdNSe+zSpHRxKVYHF4Uq+1aFBluoIyWbUoB/zKyFg6Pp3VZd
c0Ww/kstwJWpVdZ/NwLraiZ2XE9Yrxz4ZjmMIqgRCPPmc7w00QI=
=feoF
-----END PGP SIGNATURE-----