CVE-2025-55100
Published: 17 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-55100 affects USBX before version 6.4.3, the USB support module for the Eclipse Foundation's ThreadX real-time operating system. The vulnerability is a potential out-of-bounds read issue in the function _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies. Classified as CWE-125 (Out-of-bounds Read), it received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) upon publication on 2025-10-17.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. Exploitation leads to high confidentiality and availability impacts, potentially allowing sensitive information disclosure via memory reads or denial-of-service through application crashes, while integrity remains unaffected.
The GitHub security advisory (GHSA-j253-w29r-9m48) at https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-j253-w29r-9m48 details the issue, with mitigation achieved by upgrading to USBX 6.4.3 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote, unauthenticated network exploitation of a public-facing USB parser vulnerability enabling information disclosure and DoS.