anonhaven
Ad

CVE-2025-55095

HIGH CVSS 3.1: 7.0 EPSS 0.02%
Updated Apr 02, 2026
Eclipse
Parameter Value
CVSS 7.0 (HIGH)
Affected Versions before 6.4.2
Type CWE-121 (Stack-based Buffer Overflow), CWE-787 (Out-of-bounds Write), CWE-674
Vendor Eclipse
Public PoC No

The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries.

If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
High
Difficult to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-121 Stack-based Buffer Overflow
CWE-787 Out-of-bounds Write
CWE-674

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Eclipse Threadx_Usbx
cpe:2.3:a:eclipse:threadx_usbx:*:*:*:*:*:*:*:*
 <= 6.4.2

References 1

https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-qfmp-wch9-rpv2
emo@eclipse.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-1605

Eclipse

7.5

CVE-2025-11143

Eclipse

6.5

CVE-2026-22886

Elipse

9.8

CVE-2026-0648

Eclipse

6.3

CVE-2025-55102

Eclipse

8.7