CVE-2022-29246 – CVE-2022-29246 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-29246?

CVE-2022-29246 has a CVSS score of 9.8 (CRITICAL). CVE-2022-29246 is a buffer overflow vulnerability in Azure RTOS USBX's DFU UPLOAD functionality that allows attackers to bypass security features or execute arbitrary code. It affects all systems using Azure RTOS USBX versions prior to 6.1.11 with USB DFU functionality enabled. The vulnerability occurs when handling DFU UPLOAD commands with oversized data transfers.

📋 TL;DR

CVE-2022-29246 is a buffer overflow vulnerability in Azure RTOS USBX's DFU UPLOAD functionality that allows attackers to bypass security features or execute arbitrary code. It affects all systems using Azure RTOS USBX versions prior to 6.1.11 with USB DFU functionality enabled. The vulnerability occurs when handling DFU UPLOAD commands with oversized data transfers.

💻 Affected Systems

Products:

Azure RTOS USBX

Versions: All versions prior to 6.1.11

Operating Systems: Any OS using Azure RTOS USBX stack

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with USB Device Firmware Upgrade (DFU) functionality enabled and accessible.

📦 What is this software?

Threadx Usbx by Eclipse

View all CVEs affecting Threadx Usbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution, allowing attackers to take full control of affected devices and potentially pivot to other systems.

🟠

Likely Case

Denial of service through system crashes or memory corruption, with potential for limited code execution in specific configurations.

🟢

If Mitigated

No impact if patched or proper buffer boundary checks are implemented in custom implementations.

🌐 Internet-Facing: MEDIUM - Requires USB connection or USB-over-IP access, but many IoT/embedded devices expose USB interfaces.

🏢 Internal Only: HIGH - USB-connected devices in industrial, medical, or critical infrastructure environments are particularly vulnerable to physical or network-based USB attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires USB access to the device but no authentication. The vulnerability is straightforward to trigger with crafted DFU UPLOAD commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.11

Vendor Advisory: https://github.com/azure-rtos/usbx/security/advisories/GHSA-hh5p-x584-j8hv

Restart Required: Yes

Instructions:

1. Download USBX version 6.1.11 or later from official repository. 2. Replace vulnerable USBX components in your project. 3. Recompile and redeploy firmware. 4. Restart affected devices.

🔧 Temporary Workarounds

Buffer Size Alignment

all

Manually align request and buffer sizes to ensure buffer boundaries are respected in the ux_device_class_dfu_control_request function.

Modify ux_device_class_dfu_control_request.c to add boundary checks before processing UX_SLAVE_CLASS_DFU_COMMAND_UPLOAD

🧯 If You Can't Patch

Disable USB DFU functionality if not required for device operation
Implement network segmentation to isolate USB-connected devices from critical systems

🔍 How to Verify

Check if Vulnerable:

Check USBX version in source code or compiled firmware. If version < 6.1.11 and DFU functionality is enabled, system is vulnerable.

Check Version:

Check USBX_VERSION_MAJOR, USBX_VERSION_MINOR, USBX_VERSION_PATCH in ux_api.h or project configuration

Verify Fix Applied:

Verify USBX version is 6.1.11 or later and examine ux_device_class_dfu_control_request.c for proper buffer boundary checks.

📡 Detection & Monitoring

Log Indicators:

Multiple failed DFU operations
Unexpected device resets after USB connections
Memory access violation logs

Network Indicators:

Unusual USB traffic patterns
DFU commands with abnormally large wLength values

SIEM Query:

Device logs containing 'DFU UPLOAD' with size > 256 OR memory violation errors after USB connection

📊 Metadata

CVE ID: CVE-2022-29246

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: May 24, 2022

Last Updated: October 27, 2025

🔗 References

https://github.com/azure-rtos/usbx/blob/master/common/usbx_device_classes/src/ux_device_class_dfu_control_request.c Third Party Advisory
https://github.com/azure-rtos/usbx/releases/tag/v6.1.11_rel Release Notes,Third Party Advisory
https://github.com/azure-rtos/usbx/security/advisories/GHSA-hh5p-x584-j8hv Third Party Advisory
https://github.com/azure-rtos/usbx/blob/master/common/usbx_device_classes/src/ux_device_class_dfu_control_request.c Third Party Advisory
https://github.com/azure-rtos/usbx/releases/tag/v6.1.11_rel Release Notes,Third Party Advisory
https://github.com/azure-rtos/usbx/security/advisories/GHSA-hh5p-x584-j8hv Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29246, you might also want to check these: