CVE-2022-29223 - Vulnerability Details - OpenCVE

ReportizFlow

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Eclipse	Threadx Usbx

Configuration 1 [-]

cpe:2.3:a:eclipse:threadx_usbx:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel
https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862

History

Mon, 27 Oct 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eclipse Eclipse threadx Usbx
CPEs	cpe:2.3:o:microsoft:azure_rtos_usbx::::::::	cpe:2.3:a:eclipse:threadx_usbx::::::::
Vendors & Products	Microsoft Microsoft azure Rtos Usbx	Eclipse Eclipse threadx Usbx

Wed, 23 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-05-24T14:25:10.000Z

Updated: 2025-04-23T18:22:28.758Z

Reserved: 2022-04-13T00:00:00.000Z

Link: CVE-2022-29223

Vulnrichment

Updated: 2024-08-03T06:17:54.276Z

NVD

Status : Modified

Published: 2022-05-24T15:15:07.977

Modified: 2025-10-27T13:57:06.663

Link: CVE-2022-29223

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "usbx", "vendor": "azure-rtos", "versions": [{"status": "affected", "version": "< 6.1.10"}]}], "descriptions": [{"lang": "en", "value": "Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-24T14:25:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}], "source": {"advisory": "GHSA-2qc5-385m-x862", "discovery": "UNKNOWN"}, "title": "Buffer overflow on HUB descriptor in Azure RTOS USBX", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2022-29223", "STATE": "PUBLIC", "TITLE": "Buffer overflow on HUB descriptor in Azure RTOS USBX"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "usbx", "version": {"version_data": [{"version_value": "< 6.1.10"}]}}]}, "vendor_name": "azure-rtos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862", "refsource": "CONFIRM", "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}, {"name": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel", "refsource": "MISC", "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}]}, "source": {"advisory": "GHSA-2qc5-385m-x862", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.276Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:54:45.954266Z", "id": "CVE-2022-29223", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:22:28.758Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29223", "datePublished": "2022-05-24T14:25:10.000Z", "dateReserved": "2022-04-13T00:00:00.000Z", "dateUpdated": "2025-04-23T18:22:28.758Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"containers": {"cna": {"affected": [{"product": "usbx", "vendor": "azure-rtos", "versions": [{"status": "affected", "version": "< 6.1.10"}]}], "descriptions": [{"lang": "en", "value": "Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-24T14:25:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}], "source": {"advisory": "GHSA-2qc5-385m-x862", "discovery": "UNKNOWN"}, "title": "Buffer overflow on HUB descriptor in Azure RTOS USBX", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2022-29223", "STATE": "PUBLIC", "TITLE": "Buffer overflow on HUB descriptor in Azure RTOS USBX"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "usbx", "version": {"version_data": [{"version_value": "< 6.1.10"}]}}]}, "vendor_name": "azure-rtos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862", "refsource": "CONFIRM", "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}, {"name": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel", "refsource": "MISC", "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}]}, "source": {"advisory": "GHSA-2qc5-385m-x862", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.276Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-29223", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:54:45.954266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:54:47.526Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29223", "datePublished": "2022-05-24T14:25:10.000Z", "dateReserved": "2022-04-13T00:00:00.000Z", "dateUpdated": "2025-04-23T18:22:28.758Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:threadx_usbx:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEF2B436-01FF-48B4-9055-B455338C74CB", "versionEndExcluding": "6.1.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10."}, {"lang": "es", "value": "Azure RTOS USBX es una pila insertada de host USB, dispositivo y on-the-go (OTG). En versiones anteriores a 6.1.10, un atacante puede causar un desbordamiento del b\u00fafer proporcionando a la pila del host Azure RTOS USBX un descriptor HUB con \"bNbPorts\" establecido en un valor mayor que \"UX_MAX_TT\", que por defecto es 8. Para un valor de \"bNbPorts\" de 255, la implementaci\u00f3n de la funci\u00f3n \"ux_host_class_hub_descriptor_get\" modificar\u00e1 el contenido del array \"hub\" -) \"ux_host_class_hub_device\" -) \"ux_device_hub_tt\" violando el l\u00edmite final en 255 - \"UX_MAX_TT\" elementos. La pila del host USB necesita comprobar el n\u00famero de puertos reportados por el hub, y si el valor es mayor que UX_MAX_TT, la pila USB necesita rechazar la petici\u00f3n. Esta correcci\u00f3n se ha incluido en versi\u00f3n 6.1.10 de USBX"}], "id": "CVE-2022-29223", "lastModified": "2025-10-27T13:57:06.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-05-24T15:15:07.977", "references": [{"source": "[email protected]", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}, {"source": "[email protected]", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/azure-rtos/usbx/security/advisories/GHSA-2qc5-385m-x862"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-120"}], "source": "[email protected]", "type": "Primary"}]}