CVE-2023-39902

low-risk
Published 2023-10-17

A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.0/10 High
LOCAL / HIGH complexity

Affected Products (1)

Uboot Secondary Program Loader

Affected Vendors

Nxp

References (4)

Mitigation https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authe...
Product https://nxp.com
Mitigation https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authe...
Product https://nxp.com
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal