CVE-2025-55100 identifies an out-of-bounds read vulnerability (CWE-125) in the USBX component of the Eclipse Foundation's ThreadX real-time operating system, specifically in versions before 6.4.3. The issue resides in the _ux_host_class_audio10_sam_parse_func() function, which parses a list of sampling frequencies for USB audio devices. An out-of-bounds read occurs when the function improperly handles the length or content of the sampling frequency list, potentially reading memory beyond the allocated buffer. This can lead to unintended disclosure of memory contents or cause application crashes due to invalid memory access. The vulnerability requires physical proximity or local access since the attack vector is physical, and user interaction is necessary, such as connecting a malicious USB audio device. No privileges or authentication are required to trigger the vulnerability. The CVSS 4.0 score is 2.4, reflecting low severity, mainly due to limited impact and exploitation complexity. No known exploits have been reported in the wild, and no patches are currently linked, indicating the need for vendor updates. The vulnerability affects embedded systems and IoT devices using ThreadX with USBX for USB audio support, which are common in industrial, automotive, and consumer electronics sectors.

For European organizations, the impact of CVE-2025-55100 is generally low but context-dependent. Devices running ThreadX with USBX prior to version 6.4.3 that handle USB audio input could be vulnerable to memory disclosure or instability if exposed to malicious USB devices. This could lead to leakage of sensitive information residing in memory or denial of service conditions if the device crashes. Sectors such as manufacturing, automotive, healthcare, and critical infrastructure that deploy embedded systems with USB audio capabilities may face operational disruptions or data confidentiality risks. However, the requirement for physical access and user interaction limits remote exploitation and large-scale attacks. The vulnerability does not enable code execution or privilege escalation, reducing the risk of more severe compromises. Nonetheless, organizations should consider the potential for targeted attacks or supply chain risks involving malicious USB devices.

European organizations should proactively monitor for updates from the Eclipse Foundation and apply patches to USBX to upgrade to version 6.4.3 or later once available. Until patches are deployed, organizations should implement strict USB device control policies, including disabling unused USB ports, restricting USB device types allowed, and using endpoint security solutions that can detect anomalous USB device behavior. Employ hardware-based USB port locks or physical security controls to prevent unauthorized device connections. Additionally, validate and sanitize USB audio data inputs at the application level where possible. Conduct security awareness training to inform users about the risks of connecting untrusted USB devices. For critical embedded systems, consider network segmentation and monitoring to detect abnormal device behavior that could indicate exploitation attempts. Finally, collaborate with device manufacturers to ensure secure firmware updates and vulnerability management.