CVE-2022-29223

Name of the Vulnerable Software and Affected Versions Azure RTOS USBX versions prior to 6.1.10

Description The issue arises when an attacker provides a HUB descriptor with bNbPorts set to a value greater than UX MAX TT, which defaults to 8, causing a buffer overflow in the Azure RTOS USBX host stack. Specifically, for a bNbPorts value of 255, the implementation of the ux host class hub descriptor get function modifies the contents of the hub -> ux host class hub device -> ux device hub tt array, violating the end boundary by 255 - UX MAX TT items. The USB host stack should validate the number of ports reported by the hub and reject the request if the value is larger than UX MAX TT.

Recommendations For versions prior to 6.1.10, update to USBX release 6.1.10 to resolve the issue. As a temporary workaround, consider configuring the USB host stack to validate and reject HUB descriptors with bNbPorts values greater than UX MAX TT.