Thank you for the quick response. We will follow the submission guidelines for our fixes and attribution. In the meantime, would you be able to confirm the reported vulnerabilities on your side? That would help us make sure we are aligned on impact and scope as we finalize the fixes. Regards, Sin Liang
________________________________ From: Tom Rini Sent: Friday, February 27, 2026 1:42 PM To: Lee, Sin Liang Cc: [email protected]; Kim, Taesoo; Zhang, Cen; [email protected]; [email protected] Subject: Re: Security Disclosure: Multiple buffer overflow vulnerabilities in NFS client On Fri, Feb 27, 2026 at 06:25:14PM +0000, Lee, Sin Liang wrote: > Dear U-Boot Maintainers, > > I'm Sin Liang Lee, a member of Team Atlanta<https://team-atlanta.github.io/> > from Georgia Institute of Technology, winners of DARPA's AI Cyber Challenge > (AIxCC)<https://aicyberchallenge.com/>. We're reaching out to submit a > vulnerability report that we identified using our system, ATLANTIS, in your > project. This effort is part of DARPA's initiative to apply competition > technologies to real-world open source projects. > > We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic > vulnerability detection and repair. Using a combination of targeted fuzzing > (via OSS-Fuzz infrastructure) and AI-assisted static analysis, we identified > four buffer overflow vulnerabilities in the U-Boot NFS client reply parsers > (net/nfs-common.c). These affect the current upstream codebase and include a > signedness bypass of the mitigation introduced for CVE-2019-14193. Ah, so that explains the squashfs report last week. I am glad to see that part of the challenge now is fixing and not just reporting the issues. Please see https://docs.u-boot.org/en/latest/develop/sending_patches.html for how to correctly submit patches to the project. And while we do not currently have formal guidelines around AI-assisted contributions, please see: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst for how the Linux Kernel expects things to be attributed and note that we also are requesting that the commit message be human and not AI-written/assisted. Thanks! -- Tom
