CVE-2024-57254

CVE-2024-57254 is an integer overflow vulnerability (CWE-190) in the sqfs_inode_size function within Das U-Boot versions prior to 2025.01-rc1. The issue arises during symlink size calculation when processing a crafted SquashFS filesystem, potentially leading to incorrect memory handling. It carries a CVSS v3.1 base score of 7.1 (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high impact across confidentiality, integrity, and availability with a changed scope.

An attacker with physical access to the target device could exploit this vulnerability by providing a specially crafted SquashFS filesystem image. The high attack complexity (AC:H) suggests it requires sophisticated preparation, but no privileges (PR:N) or user interaction (UI:N) are needed. Successful exploitation could result in high-impact consequences, including potential arbitrary code execution, data corruption, or denial of service due to the integer overflow.

Mitigation involves updating to Das U-Boot 2025.01-rc1 or later, as evidenced by the fixing commit c8e929e5758999933f9e905049ef2bf3fe6b140d in the U-Boot repository. Security advisories, including the oss-security mailing list announcement from February 17, 2025, and Debian LTS tracking from May 2025, recommend applying this patch to affected systems.