The split_go() routine in mcuboot/boot/bootutil/src/loader.c makes use of the boot_read_image_headers() helper provided for "dual image area with swap" style boots:
boot_read_image_headers() should not be used in this context: it can return success if some of the headers were read correctly, which may be enough if image slots contain complete images for swapping. However, split_go() treats success as if both image area headers were read correctly.
The problem is that a success return from boot_read_image_headers() if slot 0's header was read correctly and slot 1's wasn't results in garbage data being passed to split_image_check(). This could potentially be combined with another bug to feed attacker-controlled data to split_image_check().
This ticket tracks fixing split_go() to validate that all of its inputs are read correctly before passing them off for validation.