CVE-2023-39902

A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:nxp:uboot_secondary_program_loader:*:*:*:*:*:*:*:*
OR cpe:2.3:h:nxp:i.mx_8m:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_mini:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_nano:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_plus:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:16

Type Values Removed Values Added
References () https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 - Mitigation, Patch, Vendor Advisory () https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 - Mitigation, Patch, Vendor Advisory
References () https://nxp.com - Product () https://nxp.com - Product
CVSS v2 : unknown
v3 : 7.8
v2 : unknown
v3 : 7.0

24 Oct 2023, 19:30

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
First Time Nxp uboot Secondary Program Loader
Nxp i.mx 8m Nano
Nxp i.mx 8m Plus
Nxp i.mx 8m Mini
Nxp i.mx 8m
Nxp
CWE CWE-281
References (MISC) https://nxp.com - (MISC) https://nxp.com - Product
References (MISC) https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 - (MISC) https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 - Mitigation, Patch, Vendor Advisory
CPE cpe:2.3:o:nxp:uboot_secondary_program_loader:*:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_mini:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_plus:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_nano:-:*:*:*:*:*:*:*

17 Oct 2023, 12:38

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-17 12:15

Updated : 2024-11-21 08:16


NVD link : CVE-2023-39902

Mitre link : CVE-2023-39902

CVE.ORG link : CVE-2023-39902


JSON object : View

Products Affected

nxp

  • i.mx_8m
  • i.mx_8m_mini
  • i.mx_8m_nano
  • uboot_secondary_program_loader
  • i.mx_8m_plus
CWE
CWE-281

Improper Preservation of Permissions