CVE-2025-55097 identifies an out-of-bounds read vulnerability classified under CWE-125 in the USBX component of the Eclipse Foundation's ThreadX real-time operating system. USBX provides USB host and device support for embedded systems, and this vulnerability specifically resides in the _ux_host_class_audio_streaming_sampling_get() function, which parses descriptors from USB audio streaming devices. The flaw arises when the function improperly handles descriptor data, leading to reading memory beyond the allocated buffer boundaries. Such out-of-bounds reads can cause undefined behavior including application crashes or potential leakage of sensitive memory contents. The vulnerability affects USBX versions prior to 6.4.3. Exploitation requires an attacker to connect a specially crafted malicious USB audio device to the target system. No authentication or user interaction is required, but physical access to the device is necessary. The CVSS 4.0 base score is 2.4, indicating low severity due to limited impact and attack vector requiring physical proximity. No known exploits have been reported in the wild as of the publication date. The vulnerability is relevant primarily to embedded systems and IoT devices using ThreadX with USBX for USB audio streaming support, which are common in industrial control, automotive infotainment, and medical devices. The lack of a patch link suggests that users should upgrade to USBX 6.4.3 or later once available. The vulnerability does not affect confidentiality, integrity, or availability at a high level but could cause minor disruptions or information leakage in constrained environments.

For European organizations, the impact of CVE-2025-55097 is generally low but context-dependent. Embedded systems and IoT devices running ThreadX with USBX are prevalent in sectors such as automotive manufacturing, industrial automation, and healthcare equipment. An attacker with physical access could exploit this vulnerability by connecting a malicious USB audio device, potentially causing device crashes or limited information disclosure. This could disrupt critical operations or leak sensitive data in safety-critical environments. While the vulnerability does not allow remote exploitation or privilege escalation, the physical access requirement limits the attack surface. However, in environments with many connected embedded devices, such as factories or hospitals, the risk of insider threats or supply chain attacks increases. European organizations with stringent safety and compliance requirements must consider this vulnerability as part of their embedded device security posture. Failure to address it could lead to operational downtime or minor data leaks, impacting business continuity and regulatory compliance.

1. Upgrade USBX to version 6.4.3 or later as soon as the patch becomes available to eliminate the out-of-bounds read vulnerability. 2. Implement strict USB device control policies to restrict connection of unauthorized USB devices, especially in sensitive environments. 3. Employ hardware-based USB port lockdown or disable unused USB ports on embedded devices to reduce physical attack vectors. 4. Conduct regular security audits and firmware integrity checks on embedded systems running ThreadX to detect unauthorized modifications. 5. Use device whitelisting and endpoint security solutions tailored for embedded and IoT environments to monitor USB device interactions. 6. Educate operational technology (OT) personnel about the risks of connecting untrusted USB devices to critical systems. 7. Collaborate with device vendors to ensure timely firmware updates and security patches are applied. 8. Consider network segmentation and monitoring to isolate embedded devices and detect anomalous behavior resulting from exploitation attempts.