CVE-2026-0648

Source
https://cve.org/CVERecord?id=CVE-2026-0648
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0648.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-0648
Aliases
  • GHSA-xj75-fc68-h4rw
Published
2026-01-27T15:40:31.216Z
Modified
2026-07-08T07:32:22.428946334Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtoscompatibilitylayers/OSEK/txosek.c) when handling the return value of osekgetcounter(). Specifically, the current code checks if cntrid equals 0u to determine failure, but @osekgetcounter() actually returns EOSSYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted.

As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption.

This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.

Database specific
{
    "cna_assigner": "eclipse",
    "cwe_ids": [
        "CWE-253"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/0xxx/CVE-2026-0648.json"
}
References

Affected packages

Git / github.com/eclipse-threadx/threadx

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-threadx/threadx
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "6.1.7"
        },
        {
            "last_affected": "6.4.3"
        },
        {
            "fixed": "6.4.5"
        }
    ],
    "cpe": "cpe:2.3:a:eclipse:threadx:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v6.*
v6.1.10_rel
v6.1.11_rel
v6.1.12_rel
v6.1.7_rel
v6.1.8_rel
v6.1.9_rel
v6.2.0_rel
v6.2.1_rel
v6.3.0_rel
v6.4.0_rel
v6.4.1_rel
v6.4.2_rel
v6.4.3.202503_rel

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0648.json"