CVE-2025-55097 in USBX
Summary
by MITRE • 10/17/2025
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/25/2025
The vulnerability identified as CVE-2025-55097 affects USBX, a USB support module within the Eclipse Foundation ThreadX operating system framework. This module serves as a critical component for USB device communication and management in embedded systems and real-time applications. The issue manifests as a potential out-of-bounds read condition that occurs during the parsing of USB streaming device descriptors, specifically within the _ux_host_class_audio_streaming_sampling_get() function. Such vulnerabilities in USB stack implementations can have severe implications for system stability and security, particularly in environments where real-time processing and reliable device communication are paramount.
The technical flaw stems from inadequate bounds checking within the audio streaming descriptor parsing logic. When USB streaming devices communicate with systems using USBX, the module attempts to extract sampling rate information from audio streaming descriptors. However, the _ux_host_class_audio_streaming_sampling_get() function fails to properly validate the length or structure of incoming descriptor data before attempting to read beyond predetermined buffer boundaries. This lack of input validation creates a scenario where malformed or maliciously crafted USB descriptors could trigger memory access violations, potentially leading to system crashes, data corruption, or unauthorized access to system resources. The vulnerability is classified as a classic buffer over-read issue that aligns with CWE-129 and CWE-787, representing weaknesses in input validation and memory safety.
The operational impact of this vulnerability extends beyond simple system instability, particularly in critical embedded applications where USB audio streaming is utilized. In industrial control systems, medical devices, automotive infotainment systems, and other safety-critical environments, a compromised USB stack could lead to complete system failure or unpredictable behavior. Attackers could potentially exploit this vulnerability by connecting malicious USB devices that present specially crafted audio streaming descriptors, triggering the out-of-bounds read condition. The attack surface is particularly concerning given that ThreadX is widely used in embedded systems where physical access to USB ports is common and where system reliability is crucial. This vulnerability also aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as it could enable attackers to escalate privileges or gain deeper system access through memory corruption exploits.
Mitigation strategies for CVE-2025-55097 primarily involve upgrading to USBX version 6.4.3 or later, which includes proper bounds checking and descriptor validation mechanisms. System administrators should implement comprehensive patch management processes to ensure all embedded systems utilizing ThreadX are updated promptly. Additional defensive measures include implementing USB device whitelisting policies, restricting USB port access in critical environments, and deploying runtime monitoring solutions to detect anomalous USB behavior. Organizations should also conduct thorough security assessments of their embedded systems to identify potential exploitation vectors and ensure proper input validation across all USB-related components. The fix addresses the root cause by introducing proper bounds checking within the descriptor parsing routine, preventing unauthorized memory access while maintaining full compatibility with legitimate USB streaming devices.