Szymonh

**Name of the Vulnerable Software and Affected Versions** Zephyr versions prior to 2.4.0 **Description** The issue is related to a buffer overflow in the implementation of `net buf add mem` in the USB device Bluetooth class. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Azure RTOS USBX versions prior to 6.1.12 **Description** The issue arises from the `ux host class pima read` function in Azure RTOS USBX, where the data length from a device response is read and used in calculations. Specifically, the `header length` value is used in a comparison that can lead to an overflow if `header length` is smaller than `UX HOST CLASS PIMA DATA HEADER SIZE`. This overflow can cause a write buffer overflow when moving the `data pointer` in a while loop. The estimated number of potentially affected devices is not provided. **Recommendations** For Azure RTOS USBX versions prior to 6.1.12, update to version 6.1.12 or later to resolve the issue. As a temporary workaround, add a check for `header length` to ensure it is greater than `UX HOST CLASS PIMA DATA HEADER SIZE` and greater than or equal to the current returned data length (`transfer request -> ux transfer request actual length`).

**Name of the Vulnerable Software and Affected Versions** Azure RTOS USBX versions prior to 6.1.12 **Description** The issue is related to a buffer overflow and integer underflow in the Azure RTOS USBX implementation of host support for USB CDC ECM, specifically in the ` ux host class cdc ecm mac address get` function. This may allow a remote attacker to execute arbitrary code or cause a denial of service by setting the mac address string descriptor length to 0 or 1, introducing an integer underflow followed by a buffer overflow of the `cdc ecm -> ux host class cdc ecm node id` array. **Recommendations** For Azure RTOS USBX versions prior to 6.1.12, update to version 6.1.12 or later to resolve the issue. As a temporary workaround, improved mac address string descriptor length validation to check for unexpectedly small values may be used. Consider restricting access to the ` ux host class cdc ecm mac address get` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Azure RTOS USBX versions prior to 6.1.11 **Description** The issue concerns a buffer overflow in the USBX DFU UPLOAD functionality, which can be exploited to overwrite memory contents, bypass security features, or execute arbitrary code. This occurs when the `ux device class dfu control request` function fails to prevent a buffer overflow during the handling of the DFU UPLOAD command. Specifically, when an attacker sends the `UX SLAVE CLASS DFU COMMAND UPLOAD` control transfer request with a `wLenght` larger than the buffer size (`UX SLAVE REQUEST CONTROL MAX LENGTH`, 256 bytes), a buffer overflow may happen, especially if `dfu -> ux slave class dfu read` reads more data than the buffer can hold. This could lead to platform compromise if the attacker has control over the read flash memory. **Recommendations** For Azure RTOS USBX versions prior to 6.1.11, update to version 6.1.11 to resolve the issue. As a temporary workaround, align the request and buffer size to ensure that buffer boundaries are respected, preventing potential overflows.

**Name of the Vulnerable Software and Affected Versions** Azure RTOS USBX versions prior to 6.1.10 **Description** The issue arises when an attacker provides a HUB descriptor with `bNbPorts` set to a value greater than `UX MAX TT`, which defaults to 8, causing a buffer overflow in the Azure RTOS USBX host stack. Specifically, for a `bNbPorts` value of 255, the implementation of the `ux host class hub descriptor get` function modifies the contents of the `hub` -> `ux host class hub device` -> `ux device hub tt` array, violating the end boundary by 255 - `UX MAX TT` items. The USB host stack should validate the number of ports reported by the hub and reject the request if the value is larger than `UX MAX TT`. **Recommendations** For versions prior to 6.1.10, update to USBX release 6.1.10 to resolve the issue. As a temporary workaround, consider configuring the USB host stack to validate and reject HUB descriptors with `bNbPorts` values greater than `UX MAX TT`.

**Name of the Vulnerable Software and Affected Versions** Zephyr versions >= v2.6.0 **Description** The issue is related to a buffer overflow in the USB device class, specifically a heap-based buffer overflow. This is classified as CWE-122. **Recommendations** For Zephyr versions >= v2.6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr versions >= v2.6.0 **Description** The RNDIS USB device class includes a buffer overflow vulnerability, specifically a Heap-based Buffer Overflow (CWE-122). **Recommendations** For Zephyr versions >= v2.6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.