Lavine Yue

**Name of the Vulnerable Software and Affected Versions** ThreadX (affected versions not specified) **Description** The issue arises from flawed error handling within the `CreateCounter()` function, located in 'threadx/utility/rtos compatibility layers/OSEK/tx osek.c'. The function incorrectly validates the return value of `osek get counter()`. It checks for a value of 0u to indicate failure, while `osek get counter()` returns 12U (E OS SYS STACK) upon failure. This discrepancy prevents the error handling branch from executing when the counter pool is exhausted. Consequently, the code casts the error code (12U) to a pointer (OSEK COUNTER *), resulting in a wild pointer. Subsequent writes to this pointer lead to memory corruption or HardFaults. This can lead to denial-of-service or unauthorized memory access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.