CVE-2022-36063
Severity CVSS v4.0:
Pending analysis
Type:
CWE-121
Stack-based Buffer Overflow
Publication date:
10/10/2022
Last modified:
27/10/2025
Description
Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX–supported processors. Azure RTOS USBX implementation of host support for USB CDC ECM includes an integer underflow and a buffer overflow in the `_ux_host_class_cdc_ecm_mac_address_get` function which may be potentially exploited to achieve remote code execution or denial of service. Setting mac address string descriptor length to a `0` or `1` allows an attacker to introduce an integer underflow followed (string_length) by a buffer overflow of the `cdc_ecm -> ux_host_class_cdc_ecm_node_id` array. This may allow one to redirect the code execution flow or introduce a denial of service. The fix has been included in USBX release [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). Improved mac address string descriptor length validation to check for unexpectedly small values may be used as a workaround.
Impact
Base Score 3.x
7.60
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:eclipse:threadx_usbx:*:*:*:*:*:*:*:* | 6.1.11 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/azure-rtos/usbx/blob/master/common/usbx_host_classes/src/ux_host_class_cdc_ecm_mac_address_get.c#L264
- https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel
- https://github.com/azure-rtos/usbx/security/advisories/GHSA-chpp-5fv9-6368
- https://github.com/azure-rtos/usbx/blob/master/common/usbx_host_classes/src/ux_host_class_cdc_ecm_mac_address_get.c#L264
- https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel
- https://github.com/azure-rtos/usbx/security/advisories/GHSA-chpp-5fv9-6368