Vulnerability Description
The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Threadx Usbx | <= 6.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-qfmp-wch9-rpv2ExploitVendor Advisory
FAQ
What is CVE-2025-55095?
CVE-2025-55095 is a vulnerability with a CVSS score of 4.2 (MEDIUM). The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursi...
How severe is CVE-2025-55095?
CVE-2025-55095 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55095?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Threadx Usbx.