CVE-2025-55099 identifies an out-of-bounds read vulnerability (CWE-125) in the USBX USB support module of the Eclipse Foundation's ThreadX real-time operating system, specifically in versions before 6.4.3. The vulnerability resides in the function _ux_host_class_audio_alternate_setting_locate(), which is responsible for parsing USB audio class alternate setting descriptors. When processing descriptors containing frequency fields controlled by an attacker, the function may read memory beyond the allocated buffer boundaries. This can lead to unintended disclosure of memory contents or cause system instability due to invalid memory access. The vulnerability does not require authentication, user interaction, or elevated privileges, but exploitation requires the attacker to connect a malicious USB device or manipulate USB traffic. The CVSS 4.0 vector indicates a physical attack vector (AV:P), low complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low impact on confidentiality (VC:N), integrity (VI:L), and no impact on availability (VA:N). No patches or exploits are currently publicly available, but the issue is addressed in USBX version 6.4.3. Given USBX's role in embedded and IoT devices, the vulnerability could affect a wide range of products using ThreadX, including industrial controllers, automotive systems, and telecommunications equipment.

For European organizations, the impact of CVE-2025-55099 is generally low due to the limited severity and attack vector requiring physical or logical USB device connection. However, sectors relying heavily on embedded systems and IoT devices running ThreadX with USBX, such as manufacturing, automotive, telecommunications, and critical infrastructure, could face risks of information leakage or device instability. This could lead to disruptions in operational technology environments or compromise sensitive data processed by embedded devices. The vulnerability could also serve as a foothold for further attacks if combined with other vulnerabilities. Although no known exploits exist yet, the presence of this flaw in widely deployed embedded systems necessitates proactive mitigation to prevent potential exploitation, especially in environments where USB device control is less stringent.

1. Upgrade all affected systems to USBX version 6.4.3 or later where the vulnerability is fixed. 2. Implement strict USB device control policies to limit connection of unauthorized or untrusted USB devices, including physical port lockdowns and endpoint security solutions. 3. Employ USB traffic monitoring and anomaly detection to identify suspicious descriptor parsing or unusual USB device behavior. 4. For embedded device manufacturers, incorporate rigorous input validation and boundary checks on USB descriptors during development and testing. 5. Conduct regular firmware and software audits to identify usage of vulnerable USBX versions in deployed devices. 6. Educate operational technology and security teams about the risks associated with USB device attacks and enforce security best practices in industrial and critical infrastructure environments.