CVE-2022-39293 in USBX
Summary
by MITRE • 10/13/2022
Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. The case is, in [_ux_host_class_pima_read](https://github.com/azure-rtos/usbx/blob/master/common/usbx_host_classes/src/ux_host_class_pima_read.c), there is data length from device response, returned in the very first packet, and read by [L165 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L165), as header_length. Then in [L178 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L178), there is a “if” branch, which check the expression of “(header_length - UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) > data_length” where if header_length is smaller than UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE, calculation could overflow and then [L182 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L182) the calculation of data_length is also overflow, this way the later [while loop start from L192](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L192) can move data_pointer to unexpected address and cause write buffer overflow. The fix has been included in USBX release [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). The following can be used as a workaround: Add check of `header_length`: 1. It must be greater than `UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE`. 1. It should be greater or equal to the current returned data length (`transfer_request -> ux_transfer_request_actual_length`).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/27/2025
The vulnerability identified as CVE-2022-39293 resides within Azure RTOS USBX, a critical embedded USB stack component that integrates seamlessly with Azure RTOS ThreadX for device communication. This flaw manifests in the ux_host_class_pima_read function where the stack processes data returned from USB devices, particularly those implementing the Picture Transfer Message Protocol. The vulnerability stems from improper handling of data length calculations during USB data transfer operations, creating potential for buffer overflow conditions that could lead to system instability or arbitrary code execution.
The technical flaw occurs during the processing of USB device responses where the header_length value is extracted from the initial packet and subsequently used in arithmetic operations. Specifically, line 165 in the source code reads this header_length value which represents the total size of the data header returned by the device. The vulnerability becomes apparent in the conditional check at line 178 where an expression evaluates (header_length - UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) > data_length. When header_length is smaller than the expected header size constant, this arithmetic operation results in integer underflow or overflow, causing the data_length calculation at line 182 to produce incorrect values. This miscalculation propagates through the subsequent code execution, ultimately causing the data_pointer variable to be manipulated to invalid memory addresses.
The operational impact of this vulnerability extends beyond simple buffer corruption, representing a potential security risk within embedded systems that rely on Azure RTOS USBX for USB communications. The buffer overflow condition at line 192 in the while loop creates opportunities for memory corruption that could be exploited to execute arbitrary code or cause denial of service conditions. This vulnerability affects systems using USB mass storage devices, digital cameras, and other PIMA-compliant devices where the stack handles data transfers. The flaw aligns with CWE-190, Integer Overflow or Wraparound, and CWE-121, Stack-based Buffer Overflow, representing fundamental software security weaknesses that can be leveraged by attackers to compromise system integrity.
The mitigation strategy involves implementing proper input validation checks for header_length values as recommended in the workaround. The fix requires ensuring that header_length exceeds UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE to prevent arithmetic underflow conditions. Additionally, validating that header_length is greater than or equal to the actual data length returned by the USB transfer request provides an additional layer of protection. This approach aligns with ATT&CK technique T1059.007, Command and Scripting Interpreter: JavaScript, by implementing defensive programming practices that prevent unsafe memory operations. The official fix was incorporated in USBX release 6.1.12, which addresses the root cause through proper boundary checking and arithmetic validation. Organizations should implement immediate patching of affected systems and consider monitoring for potential exploitation attempts, particularly in environments where USB devices with PIMA protocol support are actively used.
The vulnerability demonstrates the critical importance of proper input validation in embedded systems where memory constraints and resource limitations make buffer overflow conditions particularly dangerous. The flaw represents a classic example of how seemingly minor arithmetic operations in embedded software can lead to significant security implications when proper bounds checking is omitted. This vulnerability highlights the necessity for comprehensive security testing of embedded components and the importance of adhering to secure coding practices even in resource-constrained environments where embedded systems operate.