Threadx Usbx
CVE-2022-29223
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with bNbPorts set to a value greater than UX_MAX_TT which defaults to 8. For a bNbPorts value of 255, the implementation of ux_host_class_hub_descriptor_get function will modify the contents of hub -> ux_host_class_hub_device -> ux_device_hub_tt array violating the end boundary by 255 - UX_MAX_TT items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10.
AnalysisAI
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Buffer Copy without Size Check (CWE-120), which allows attackers to overflow a buffer to corrupt adjacent memory. Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with bNbPorts set to a value greater than UX_MAX_TT which defaults to 8. For a bNbPorts value of 255, the implementation of ux_host_class_hub_descriptor_get function will modify the contents of hub -> ux_host_class_hub_device -> ux_device_hub_tt array violating the end boundary by 255 - UX_MAX_TT items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10. Affected products include: Eclipse Threadx Usbx. Version information: prior to 6.1.10.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Always validate buffer sizes before copy operations. Use bounded functions (strncpy, snprintf). Enable compiler protections.
More in Threadx Usbx
View allAzure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated wit
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. Rated critical severity (CVSS 9.8), this vuln
The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. W
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today