CVE-2024-57255 is an integer overflow vulnerability classified under CWE-190 found in the denx U-Boot bootloader, a widely used open-source bootloader for embedded devices. The vulnerability exists in the sqfs_resolve_symlink function, which handles symbolic links within squashfs filesystems. Specifically, when processing a crafted squashfs image containing an inode size field set to the maximum 32-bit unsigned integer value (0xffffffff), the code miscalculates the required memory allocation size, resulting in a malloc call with zero bytes. This leads to a memory overwrite due to subsequent operations assuming a valid allocation. The consequence is a corruption of memory that can be exploited to compromise system confidentiality, integrity, and availability during the boot process. The vulnerability requires local access to the device's boot environment and has a high attack complexity, as crafting a malicious squashfs image and triggering the vulnerable code path is non-trivial. There are no known public exploits or active exploitation campaigns reported at this time. The vulnerability affects all U-Boot versions prior to 2025.01-rc1, which includes many embedded systems and IoT devices that rely on U-Boot for initial bootstrapping. Given U-Boot's prevalence in embedded Linux environments, this vulnerability poses a significant risk to devices that process untrusted squashfs filesystems during boot. The vulnerability has a CVSS v3.1 score of 7.1, reflecting its high severity due to the potential for complete system compromise without user interaction or privileges but requiring physical or local access.

For European organizations, the impact of CVE-2024-57255 can be substantial, particularly for those operating embedded systems in critical infrastructure, telecommunications, industrial automation, and IoT deployments. Successful exploitation could allow attackers to execute arbitrary code or cause denial of service at the bootloader level, potentially leading to persistent device compromise or operational disruption. This could affect confidentiality by exposing sensitive boot-time data, integrity by allowing malicious code injection, and availability by causing device failures or bricking. The high attack complexity and requirement for local access limit remote exploitation risks but do not eliminate threats from insider attacks, supply chain compromises, or physical access scenarios. Organizations relying on devices with vulnerable U-Boot versions should consider this a serious risk, especially where devices are deployed in untrusted environments or where physical security is limited. The lack of known exploits currently provides a window for proactive mitigation before active exploitation emerges.

1. Immediately upgrade all affected devices to U-Boot version 2025.01-rc1 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of squashfs filesystem inputs before they are processed by the bootloader, ideally rejecting filesystems with suspicious inode sizes or malformed metadata. 3. Enforce physical security controls to prevent unauthorized local access to devices, including tamper-evident seals and secure boot mechanisms. 4. Employ secure boot and trusted platform module (TPM) technologies to ensure bootloader integrity and prevent unauthorized code execution during boot. 5. Conduct thorough inventory and risk assessments of embedded devices running U-Boot to identify vulnerable systems. 6. Monitor device firmware update channels and subscribe to vendor security advisories for timely patch deployment. 7. For critical infrastructure, consider network segmentation and device isolation to limit exposure of embedded devices to untrusted networks or users. 8. Develop incident response plans that include procedures for bootloader compromise scenarios.