CVE-2026-0648
Published: 27 January 2026
Summary
CVE-2026-0648 is a high-severity Incorrect Check of Function Return Value (CWE-253) vulnerability in Eclipse Threadx. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates proper error handling logic to correctly validate return values from functions like osek_get_counter(), preventing bypass of error branches and creation of wild pointers from error codes.
Implements memory protections such as canaries or page permissions to block or detect invalid memory writes to addresses like 0x0000000C caused by casting error codes to pointers.
Requires identification, reporting, and patching of flaws like the incorrect error-checking logic in CreateCounter(), as detailed in the ThreadX security advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption from incorrect return-value check enables local privilege escalation (T1068) and targeted DoS via HardFaults (T1499.004).
NVD Description
The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as…
more
12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.
Deeper analysisAI
CVE-2026-0648 affects Eclipse ThreadX, specifically the CreateCounter() function in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c within its OSEK compatibility layer. The vulnerability originates from flawed error-checking logic that inspects the return value of osek_get_counter(). The code treats a cntr_id of 0u as failure, but osek_get_counter() returns E_OS_SYS_STACK (12U) on failure, such as when the counter pool is exhausted. Consequently, the error-handling branch is bypassed, and the error code is cast to an OSEK_COUNTER pointer, yielding a wild pointer that enables writes to invalid memory addresses like 0x0000000C.
A local attacker with low privileges (PR:L) can exploit this under high attack complexity (AC:H), as indicated by the CVSS v3.1 score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). By repeatedly invoking operations to deplete the counter pool, the attacker triggers HardFaults for denial-of-service or induces silent memory corruption through out-of-bounds writes. This aligns with CWE-253 (Incorrect Check of Function Return Value) and CWE-787 (Out-of-bounds Write), potentially granting unauthorized memory access with changed scope impact.
Mitigation guidance is available in the security advisory at https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-xj75-fc68-h4rw, published on 2026-01-27.
Details
- CWE(s)