CVE-2025-55100

CriticalPublic PoC

Published: 17 October 2025

Published

17 October 2025

Modified

23 October 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0012 29.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55100 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Eclipse Threadx Usbx. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the out-of-bounds read vulnerability by requiring timely flaw remediation through upgrading USBX to version 6.4.3 or later.

SI-10 Information Input Validation good match

prevent

Requires validation of format, type, range, and length of USB audio sampling frequency list inputs to prevent out-of-bounds reads in the parsing function.

SI-16 Memory Protection good match

prevent

Implements memory protections such as address space isolation to prevent unauthorized disclosure or crashes from out-of-bounds reads in USBX.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote, unauthenticated network exploitation of a public-facing USB parser vulnerability enabling information disclosure and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies.

Deeper analysisAI

CVE-2025-55100 affects USBX before version 6.4.3, the USB support module for the Eclipse Foundation's ThreadX real-time operating system. The vulnerability is a potential out-of-bounds read issue in the function _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies. Classified as CWE-125 (Out-of-bounds Read), it received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) upon publication on 2025-10-17.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. Exploitation leads to high confidentiality and availability impacts, potentially allowing sensitive information disclosure via memory reads or denial-of-service through application crashes, while integrity remains unaffected.

The GitHub security advisory (GHSA-j253-w29r-9m48) at https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-j253-w29r-9m48 details the issue, with mitigation achieved by upgrading to USBX 6.4.3 or later.