Skip to main content

Loading of image data to memory locations based on untrusted header data in LK bootloader (CVE-2013-2598)

Release Date:

September 6, 2013

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:


CVE ID(s):



The following security vulnerability has been identified in the implementation of the Little Kernel (LK) booloader for Android. CVE-2013-2598: The LK implementation performs basic tasks to start an operating system for the application processor. As part of that, it reads the Linux kernel and ramdisk from a boot or recovery image, loads it up to RAM based on the image header information, performs signature verification, and finally boots. Because of implicitly treating the header values that determine the load destination of the image as trusted, it was possible to load this image to arbitrary locations, including the memory of the LK application bootloader itself and thus overwrite, e.g., signature verification code.

Access Vector: Local
Security Risk: Critical
Access Vector: Local

Affected Versions:

All Little Kernel (LK) bootloader implementations on CAF from the following heads: master, jb*, ics*


We advise customers to apply the following patches:


This vulnerability has been disclosed by Dan Rosenberg via a post in the Azimuth Security blog.


Initial revision