CVE-2022-36063 in RTOS USBX
Summary
by MITRE • 10/11/2022
Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX–supported processors. Azure RTOS USBX implementation of host support for USB CDC ECM includes an integer underflow and a buffer overflow in the `_ux_host_class_cdc_ecm_mac_address_get` function which may be potentially exploited to achieve remote code execution or denial of service. Setting mac address string descriptor length to a `0` or `1` allows an attacker to introduce an integer underflow followed (string_length) by a buffer overflow of the `cdc_ecm -> ux_host_class_cdc_ecm_node_id` array. This may allow one to redirect the code execution flow or introduce a denial of service. The fix has been included in USBX release [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). Improved mac address string descriptor length validation to check for unexpectedly small values may be used as a workaround.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/27/2025
The vulnerability CVE-2022-36063 affects Azure RTOS USBX, a comprehensive USB host, device, and on-the-go embedded stack that integrates fully with Azure RTOS ThreadX across all supported processors. This implementation flaw specifically resides within the USB CDC ECM (Ethernet Control Model) host support functionality, where the `_ux_host_class_cdc_ecm_mac_address_get` function contains critical security defects that could enable remote code execution or denial of service attacks. The vulnerability stems from inadequate input validation of MAC address string descriptor lengths, creating exploitable conditions that attackers can leverage to compromise system integrity.
The technical exploitation occurs through a combination of integer underflow and buffer overflow conditions within the USBX stack implementation. When an attacker sets the MAC address string descriptor length to either zero or one, this creates an integer underflow that subsequently triggers a buffer overflow in the `cdc_ecm->ux_host_class_cdc_ecm_node_id` array. The integer underflow happens because the code does not properly validate that the string descriptor length parameter remains within expected bounds, allowing malicious input to cause arithmetic overflow conditions. This overflow then corrupts memory within the USBX stack, potentially enabling attackers to redirect code execution flow or cause system crashes through denial of service conditions.
The operational impact of this vulnerability extends across all systems utilizing Azure RTOS USBX with USB CDC ECM host functionality, particularly embedded devices that rely on USB connectivity for network operations. Attackers can exploit this vulnerability remotely through malicious USB devices or network-connected endpoints that communicate with vulnerable systems. The vulnerability affects the fundamental USB stack processing capabilities, potentially allowing unauthorized code execution with the privileges of the running USBX process, which could lead to complete system compromise. The vulnerability's remote exploitation capability makes it particularly dangerous in environments where untrusted USB devices might be connected to critical systems.
Security mitigations for CVE-2022-36063 include applying the official fix released in USBX version 6.1.12, which implements improved validation of MAC address string descriptor lengths to prevent unexpectedly small values from causing integer underflows. Organizations should also implement network segmentation and USB device access controls to limit potential attack vectors. The workaround of enhanced length validation provides temporary protection while systems are updated to the patched version. This vulnerability aligns with CWE-190 (Integer Overflow or Wraparound) and CWE-121 (Stack-based Buffer Overflow) categories, and represents a technique that could be categorized under ATT&CK tactic TA0040 (Defense Evasion) and technique T1059.001 (Command and Scripting Interpreter) for potential code execution scenarios. System administrators should prioritize patching affected deployments, particularly in industrial control systems, IoT devices, and embedded platforms where USB connectivity is utilized for network operations, as these environments often lack the security controls found in traditional computing environments and are therefore more susceptible to exploitation of such fundamental stack vulnerabilities.