CVE-2025-55096 identifies an integer underflow vulnerability (CWE-191) in the USBX component of Eclipse Foundation's NetX Duo, specifically in versions prior to 6.4.3. The flaw exists in the function _ux_host_class_hid_report_descriptor_get(), which parses USB Human Interface Device (HID) report descriptors. An integer underflow during parsing can lead to an out-of-bounds read, potentially exposing sensitive memory contents or causing system instability. The vulnerability is local (attack vector: local), requires high attack complexity, and does not require privileges, authentication, or user interaction. The CVSS 4.0 base score is 2.1, reflecting a low severity due to limited impact and exploitation difficulty. No public exploits or widespread attacks have been reported. USBX is a USB host/device stack used primarily in embedded systems and IoT devices, often integrated with ThreadX RTOS. The vulnerability could affect embedded devices that rely on USB HID device communication, including industrial controllers, medical devices, or consumer electronics. The absence of a patch link suggests that remediation may require upgrading to USBX 6.4.3 or later once available. The flaw's exploitation could lead to information disclosure or denial of service due to memory corruption, but no code execution or privilege escalation is indicated. The vulnerability highlights the importance of robust input validation in USB descriptor parsing within embedded software stacks.

For European organizations, the impact is primarily on embedded systems and IoT devices that incorporate the vulnerable USBX versions. Potential consequences include information leakage from out-of-bounds reads and possible device instability or crashes, which could disrupt operations in critical infrastructure, manufacturing, or healthcare sectors. Although the vulnerability requires local access and has high attack complexity, insider threats or compromised devices could exploit it. The limited severity and lack of known exploits reduce immediate risk, but unpatched devices in industrial control systems or medical equipment could face reliability issues or data exposure. European companies relying on embedded USB HID devices in their supply chains or products should assess exposure. The impact on confidentiality and availability is low to moderate, with integrity impact minimal. Operational disruptions in critical sectors could have cascading effects, emphasizing the need for timely mitigation.

1. Upgrade USBX to version 6.4.3 or later as soon as it becomes available to ensure the vulnerability is patched. 2. Conduct an inventory of embedded devices and IoT systems using NetX Duo USBX to identify potentially affected assets. 3. Implement strict access controls to limit local access to embedded devices, reducing the attack surface. 4. Monitor USB HID device interactions and logs for anomalous behavior that could indicate exploitation attempts. 5. Where possible, apply input validation and boundary checks in custom USB HID parsing code to mitigate risks. 6. Collaborate with device manufacturers and suppliers to confirm firmware updates addressing this vulnerability. 7. For critical infrastructure, consider network segmentation and device isolation to contain potential exploitation. 8. Maintain up-to-date asset management and vulnerability scanning focused on embedded systems. 9. Educate operational technology (OT) personnel about this vulnerability and the importance of patching embedded USB stacks. 10. Prepare incident response plans specific to embedded device compromise scenarios.