Description
The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted.

As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption.

This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.
Published: 2026-01-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and memory corruption
Action: Immediate Patch
AI Analysis

Impact

The Core issue stems from an error in the CreateCounter function within the ThreadX OSEK compatibility layer. The function incorrectly checks for a zero counter ID to detect failures, while the underlying osek_get_counter function returns the value 12 (E_OS_SYS_STACK) on exhaustion. Because the error check never triggers, the code proceeds to treat the numeric error code as a pointer. Subsequent writes using this bogus pointer corrupt memory at addresses such as 0x0000000C or trigger immediate hard faults. An attacker can exploit this flaw by repeatedly requesting counters until the pool is depleted, forcing the defective branch and destabilising the system. The result is a functional denial of service or silent memory corruption that could affect integrity and availability of the host application.

Affected Systems

All implementations of Eclipse ThreadX that include the ThreadX OSEK compatibility layer, as identified by the Eclipse Foundation. The specific code resides in the file threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c. Version details are not enumerated in the advisory, so any build incorporating this source should be considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.8 marks this vulnerability as high severity. The EPSS score is listed as less than 1%, indicating that, as of the last assessment, exploitation attempts are very rare. The flaw has not been reported in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires triggering counter creation repeatedly—an action that can be performed by local or remote entities that can invoke the affected API. While there is no immediate capability for remote code execution, the ability to crash the system or corrupt memory presents a significant risk to critical embedded systems that rely on ThreadX for real‑time performance.

Generated by OpenCVE AI on April 18, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Eclipse ThreadX support or check the official Eclipse ThreadX repository for a patched release that corrects the CreateCounter error handling.
  • Apply the vendor‑issued firmware or source code update that implements proper error checking and prevents the cast of numeric error codes to pointer types.
  • Until a patch is available, implement protective measures such as limiting the frequency of counter requests or adding guard checks to detect and prevent counter pool exhaustion, thereby mitigating denial‑of‑service attacks.

Generated by OpenCVE AI on April 18, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Title ThreadX OSEK Compatibility Layer Counter Pool Exhaustion Causing Memory Corruption

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:eclipse:threadx:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse threadx
Vendors & Products Eclipse
Eclipse threadx

Tue, 27 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
Description The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.
Weaknesses CWE-253
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Eclipse Threadx
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-01-27T15:53:36.128Z

Reserved: 2026-01-06T16:19:46.498Z

Link: CVE-2026-0648

cve-icon Vulnrichment

Updated: 2026-01-27T15:53:25.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T16:16:35.107

Modified: 2026-04-02T20:30:57.860

Link: CVE-2026-0648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses