Six New Bugs in U-Boot Could Let Attackers Hijack Devices at Startup

Binarly researchers found flaws in the tiny program that boots routers, cameras and server chips. Two of them could let intruders run their own code before the device even wakes up.

ThreatVectr Newsdesk· 4 min read
Full-frame close-up of a green circuit board with a prominent black microchip in sharp focus, tiny surface-mount components blurred around it, cool blue LED glo
Share

Key points

  • Binarly disclosed six new flaws in U-Boot, the open-source bootloader used in routers, smart cameras and server management chips.
  • Four of the six bugs can crash an affected device.
  • Two of the bugs could let an attacker run their own code at boot by feeding the device a booby-trapped image.
  • U-Boot runs before the operating system, so code that executes at that stage sits below almost every security tool a device has.
  • Device makers that ship U-Boot need to pull the upstream fixes and push firmware updates to customers.

Firmware security firm Binarly has disclosed six new flaws in U-Boot, the small program that wakes up the hardware inside everything from home broadband routers to smart cameras and the management chips buried inside data-centre servers.

U-Boot is what is called a bootloader. In plain terms, it is the first piece of software that runs when you plug a device in, and its job is to load the main operating system, the way a car's ignition turns over before the engine takes over.

Because it runs so early, anything nasty that gets in at this stage runs below the antivirus, below the operating system, below almost every defence a device has.

Four of the six bugs are what engineers call denial-of-service issues, meaning an attacker can make the device crash and refuse to start. Annoying on a home router. Serious on a hospital gateway or a factory controller.

The other two are worse. They could let an attacker who is able to place a malicious boot image in front of U-Boot run their own code on the device, before the real operating system loads. That kind of foothold is very hard to detect and very hard to remove without reflashing the hardware.

The flaws were first reported by The Hacker News based on Binarly's writeup.

How would an attacker actually exploit this?

They would need to get a tampered boot image in front of U-Boot in the first place, and that is the catch.

In the real world, that usually means one of two scenarios. Either the attacker already has some access to the device, for example a technician's laptop, a compromised update server, or physical hands-on time with the hardware. Or the device is configured to pull its boot image from a network location the attacker can interfere with.

So these are not bugs a random person on the internet can fire at your home router tomorrow. They are the kind of bugs that matter enormously to anyone running fleets of embedded devices: telecoms, industrial sites, cloud providers, and anyone shipping smart hardware with a long service life.

Binarly's team, which specialises in firmware and has a track record of finding U-Boot issues, reported the flaws upstream. Patches are expected to flow into the main U-Boot project, and from there into vendor firmware, though history says that last step is the slow one.

What should device owners and operators do?

For ordinary consumers, there is not much to do beyond the usual: keep router and camera firmware up to date, and replace kit that the manufacturer no longer supports.

For businesses running U-Boot-based hardware at scale, the practical steps are more concrete.

  1. Ask your device vendors, in writing, which U-Boot version their firmware ships and when they plan to release a patched build.
  2. Restrict who and what can push boot images to your devices, whether over the network or via a service port.
  3. Treat management interfaces on servers, the small chips that let admins reboot machines remotely, as high-value targets and put them on isolated networks.
  4. Watch for firmware advisories from server, router and IoT vendors over the coming weeks, because upstream U-Boot fixes tend to trigger a wave of downstream updates.

Regulators have been circling firmware security for a while. The US Cyber Trust Mark scheme and the EU's Cyber Resilience Act both push manufacturers toward faster patching and clearer disclosure for exactly this class of device. Bugs like these are the reason.

© 2026 Threat Vectr