CVE-2025-55095 Overview
A stack overflow vulnerability exists in Eclipse ThreadX USBX due to unbounded recursion in the _ux_host_class_storage_media_mount() function. This function is responsible for mounting partitions on a USB mass storage device and recursively processes extended partition entries without depth limits or cycle detection. A malicious or malformed disk image containing cyclic or excessively deep chains of extended partitions can trigger unbounded recursion, causing a stack overflow condition.
Critical Impact
An attacker with local access can craft a malicious USB mass storage device or disk image that exploits the unbounded recursion to cause a denial of service through stack exhaustion, potentially leading to system instability or crashes in embedded systems running USBX.
Affected Products
- Eclipse ThreadX USBX (USB stack component)
- Embedded systems and IoT devices utilizing USBX for USB mass storage handling
- Real-time operating systems integrating the ThreadX USBX library
Discovery Timeline
- 2026-01-27 - CVE CVE-2025-55095 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-55095
Vulnerability Analysis
The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and stems from improper handling of recursive operations when processing USB mass storage partition tables. The _ux_host_class_storage_media_mount() function processes partition entries and, when encountering an extended partition type (UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), recursively invokes itself to handle nested logical partitions.
The function _ux_host_class_storage_partition_read() parses up to four partition entries from the partition table. When an extended partition is encountered, it triggers a recursive call with a calculated sector offset. Without any safeguards on recursion depth or tracking of previously visited sectors, the code is susceptible to exploitation through carefully crafted partition chains.
Root Cause
The root cause is the absence of recursion depth limits and visited sector tracking in the partition mounting logic. When processing extended partitions, the code unconditionally recurses without checking:
- The current recursion depth against a maximum threshold
- Whether a sector has been previously visited (cycle detection)
This allows malformed disk images to create partition table structures that reference themselves or form deep chains, exhausting the call stack.
Attack Vector
The attack requires local access with the ability to connect a malicious USB mass storage device or provide a crafted disk image to the target system. The attacker constructs a partition table with:
- Cyclic references where extended partition entries point back to previously processed sectors
- Deeply nested chains of extended partitions exceeding the available stack space
When the USBX stack attempts to mount this malicious device, the unbounded recursion consumes stack memory until overflow occurs.
The vulnerable code path involves the recursive invocation pattern:
_ux_host_class_storage_media_mount() → _ux_host_class_storage_partition_read() → _ux_host_class_storage_media_mount() (recursive)
The recursion continues without bounds when extended partition entries are encountered, with each recursive call consuming stack space for function parameters and local variables. For a detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2025-55095
Indicators of Compromise
- Unexpected system crashes or resets when USB mass storage devices are connected
- Stack overflow exceptions or memory corruption errors in embedded system logs
- Abnormally high CPU utilization during USB device enumeration
- Core dumps or crash reports indicating deep call stacks in USBX partition handling functions
Detection Strategies
- Monitor system stability when handling USB mass storage device connections
- Implement stack usage monitoring to detect abnormal consumption during device mounting
- Deploy SentinelOne Singularity to detect anomalous behavior patterns associated with stack exhaustion attacks
- Review firmware logs for repeated partition mount failures or recursive function patterns
Monitoring Recommendations
- Enable stack overflow detection mechanisms in embedded RTOS configurations
- Implement watchdog timers to detect and recover from hung partition mounting operations
- Log and alert on USB device connection events that result in abnormal processing times
- Monitor memory usage patterns during USB mass storage enumeration sequences
How to Mitigate CVE-2025-55095
Immediate Actions Required
- Review all deployed systems for USBX usage and identify vulnerable firmware versions
- Restrict physical USB port access on critical embedded systems
- Implement USB device allowlisting where feasible to prevent unknown devices from being processed
- Plan firmware updates to incorporate patched USBX versions when available
Patch Information
A security advisory has been published by the Eclipse ThreadX project. Organizations should consult the GitHub Security Advisory for the latest patch information and remediation guidance. Updated USBX versions are expected to include recursion depth limits and cycle detection to prevent this vulnerability from being exploited.
Workarounds
- Disable automatic USB mass storage mounting if not required for system functionality
- Implement physical access controls to prevent unauthorized USB device connections
- Deploy endpoint protection that can detect and block malicious USB device behavior
- Consider disabling extended partition support if only primary partitions are required
# Example: Disable USB mass storage in device configuration (platform-specific)
# Consult your platform documentation for specific configuration options
# For ThreadX USBX, consider disabling host storage class if not needed:
# UX_HOST_CLASS_STORAGE_DISABLE=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
