CVE-2023-39902

A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:nxp:uboot_secondary_program_loader:*:*:*:*:*:*:*:*
OR cpe:2.3:h:nxp:i.mx_8m:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_mini:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_nano:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_plus:-:*:*:*:*:*:*:*

History

24 Oct 2023, 19:30

Type Values Removed Values Added
CPE cpe:2.3:o:nxp:uboot_secondary_program_loader:*:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_mini:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_plus:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m:-:*:*:*:*:*:*:*
cpe:2.3:h:nxp:i.mx_8m_nano:-:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
References (MISC) https://nxp.com - (MISC) https://nxp.com - Product
References (MISC) https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 - (MISC) https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 - Mitigation, Patch, Vendor Advisory
CWE CWE-281
First Time Nxp uboot Secondary Program Loader
Nxp i.mx 8m Nano
Nxp i.mx 8m Plus
Nxp i.mx 8m Mini
Nxp i.mx 8m
Nxp

17 Oct 2023, 12:38

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-17 12:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-39902

Mitre link : CVE-2023-39902

CVE.ORG link : CVE-2023-39902


JSON object : View

Products Affected

nxp

  • i.mx_8m_plus
  • i.mx_8m
  • i.mx_8m_nano
  • uboot_secondary_program_loader
  • i.mx_8m_mini
CWE
CWE-281

Improper Preservation of Permissions