CVE-2026-0648
📋 TL;DR
This vulnerability allows attackers to cause denial-of-service or memory corruption by exhausting the ThreadX RTOS counter pool. When the pool is depleted, the system creates a wild pointer that writes to illegal memory addresses, potentially crashing the system or corrupting memory. This affects systems using ThreadX with OSEK compatibility layers.
💻 Affected Systems
- ThreadX RTOS with OSEK compatibility layer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash via HardFault, potential remote code execution through memory corruption, or persistent denial-of-service.
Likely Case
System crashes or instability when counter pool is exhausted, leading to denial-of-service.
If Mitigated
Controlled crashes with proper monitoring and restart mechanisms, limiting availability impact.
🎯 Exploit Status
Exploitation requires ability to repeatedly call CreateCounter() until pool exhaustion. This may require application-level access or specific API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub advisory for specific patched version
Vendor Advisory: https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-xj75-fc68-h4rw
Restart Required: Yes
Instructions:
1. Update ThreadX to patched version from official repository. 2. Recompile affected applications. 3. Deploy updated firmware. 4. Restart affected systems.
🔧 Temporary Workarounds
Limit CreateCounter calls
allImplement rate limiting or quota enforcement on CreateCounter() API calls to prevent pool exhaustion.
Disable OSEK compatibility
allIf not required, disable OSEK compatibility layer compilation to remove vulnerable code path.
Remove -DTX_ENABLE_OSEK_COMPATIBILITY from build flags
🧯 If You Can't Patch
- Implement monitoring for repeated CreateCounter() failures and alert on threshold breaches
- Add memory protection units (MPUs) or hardware watchdogs to detect and recover from HardFaults
🔍 How to Verify
Check if Vulnerable:
Check if tx_osek.c contains the incorrect error check (cntr_id == 0u) instead of checking for E_OS_SYS_STACK (12U) return value.Check Version:
Check ThreadX version in source code or build configurationVerify Fix Applied:
Verify the patched version correctly checks for E_OS_SYS_STACK return value in CreateCounter() function.📡 Detection & Monitoring
Log Indicators:
- Multiple CreateCounter() failures
- HardFault exceptions
- Memory access violations at address 0x0000000C
Network Indicators:
- Unusual repeated API calls to counter creation endpoints
SIEM Query:
search 'CreateCounter failure' OR 'HardFault' OR 'memory access violation 0xC'