CVE-2022-39344

Name of the Vulnerable Software and Affected Versions Azure RTOS USBX versions prior to 6.1.12

Description The USB DFU UPLOAD functionality in Azure RTOS USBX may be utilized to introduce a buffer overflow, resulting in the overwrite of memory contents. In particular cases, this may allow an attacker to bypass security features or execute arbitrary code. The implementation of the ux device class dfu control request function prevents buffer overflow during handling of the DFU UPLOAD command when the current state is UX SYSTEM DFU STATE DFU IDLE.

Recommendations For versions prior to 6.1.12, upgrade to version 6.1.12 to resolve the issue. As a temporary workaround, consider adding the UPLOAD LENGTH check in all possible states to prevent buffer overflow.