CVE-2026-0648

Name of the Vulnerable Software and Affected Versions ThreadX (affected versions not specified)

Description The issue arises from flawed error handling within the CreateCounter() function, located in 'threadx/utility/rtos compatibility layers/OSEK/tx osek.c'. The function incorrectly validates the return value of osek get counter(). It checks for a value of 0u to indicate failure, while osek get counter() returns 12U (E OS SYS STACK) upon failure. This discrepancy prevents the error handling branch from executing when the counter pool is exhausted. Consequently, the code casts the error code (12U) to a pointer (OSEK COUNTER *), resulting in a wild pointer. Subsequent writes to this pointer lead to memory corruption or HardFaults. This can lead to denial-of-service or unauthorized memory access.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.