CVE-2025-55095 in ThreadX
Summary
by MITRE • 01/27/2026
The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition.
This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...));
There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/27/2026
The vulnerability described in CVE-2025-55095 represents a critical stack-based buffer overflow flaw within the USB mass storage class implementation of a host-side storage driver. This issue manifests in the _ux_host_class_storage_media_mount() function which handles the mounting process for USB mass storage devices. The function's recursive behavior becomes problematic when processing extended partition entries in disk partition tables, creating a scenario where maliciously crafted disk images can trigger unlimited recursive calls without any depth limiting mechanisms or sector tracking. The vulnerability stems from the lack of proper recursion depth validation and circular reference detection within the partition table parsing logic.
The technical implementation of this flaw occurs within the _ux_host_class_storage_partition_read() function which processes up to four partition entries in a standard partition table. When an extended partition type is encountered, specifically identified by UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED constants, the code executes a recursive call that adds the base sector offset to the current sector value. This recursive mechanism continues indefinitely without any bounds checking or visited sector tracking, allowing an attacker to construct a partition table with cyclic references or deeply nested extended partitions. The absence of stack depth limits means that each recursive call consumes stack space, eventually leading to stack exhaustion and potential system crash or arbitrary code execution.
The operational impact of this vulnerability is severe as it can be triggered through simple USB mass storage device insertion, making it particularly dangerous in environments where untrusted USB devices are permitted. An attacker with access to create or modify disk images can craft malicious partition tables that will cause the host system to crash during the mounting process, effectively creating a denial-of-service condition. The vulnerability affects any system running the affected USB storage class driver and can potentially be exploited to achieve privilege escalation or arbitrary code execution depending on the system's memory protection mechanisms. This issue directly maps to CWE-674, which describes "Uncontrolled Recursion" in software design, and aligns with ATT&CK technique T1059.001 for execution through command injection or system call manipulation.
Mitigation strategies for this vulnerability should include implementing strict recursion depth limits within the partition table parsing logic, adding sector tracking to detect circular references, and enforcing maximum partition nesting levels. The system should validate that each sector is only processed once during partition table traversal and establish a maximum recursion depth threshold that prevents excessive stack consumption. Additionally, input validation should be implemented to reject partition tables containing suspiciously deep or cyclic partition structures. System administrators should consider disabling USB mass storage support for untrusted users or environments where such attacks are possible, while firmware updates should be deployed to address the underlying recursive call mechanism. The fix should also incorporate proper error handling that terminates processing when recursion limits are exceeded rather than allowing the system to crash due to stack overflow conditions.