Eclipse Threadx
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Eclipse Threadx.
By the Year
In 2026 there have been 2 vulnerabilities in Eclipse Threadx with an average score of 6.0 out of ten. Last year, in 2025 Threadx had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Threadx in 2026 could surpass last years number.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 6.00 |
| 2025 | 3 | 0.00 |
| 2024 | 2 | 7.80 |
It may take a day or so for new Threadx vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Eclipse Threadx Security Vulnerabilities
DoS via Wild Pointer in ThreadX OSEK's CreateCounter()
CVE-2026-0648
7.8 - High
- January 27, 2026
The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.
Incorrect Check of Function Return Value
Stack overflow via unchecked recursion in USBX Host Storage mount
CVE-2025-55095
4.2 - Medium
- January 27, 2026
The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs.
Stack Overflow
ThreadX <6.4.3 Arbitrary Mem Read/Write via Weak Syscall Verification
CVE-2025-55080
- October 15, 2025
In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain an arbitrary memory read/write.
Improper Handling of Parameters
ThreadX DoS via Thread Priority Escalation (<6.4.3)
CVE-2025-55079
- October 15, 2025
In Eclipse ThreadX before version 6.4.3, the thread module has a setting of maximum priority. In some cases the check of that maximum priority wasn't performed, allowing, as a result, to obtain a thread with higher priority than expected and causing a possible denial of service.
Allocation of Resources Without Limits or Throttling
Eclipse ThreadX <6.4.3: DoS via Unchecked Memory Pointer
CVE-2025-55078
- October 14, 2025
In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module memory region.
Improper Handling of Parameters
ThreadX 6.3 Memory Overwrite via _Mtxinit() Array Overrun
CVE-2024-2214
7.8 - High
- March 26, 2024
In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c
out-of-bounds array index
ThreadX<6.4.0: xQueueCreate Heap Ovfl in FreeRTOS API
CVE-2024-2212
7.8 - High
- March 26, 2024
In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet() functions from the FreeRTOS compatibility API (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing parameter checks. This could lead to integer wraparound, under-allocations and heap buffer overflows.
Memory Corruption
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Eclipse Threadx or by Eclipse? Click the Watch button to subscribe.
