CVE-2021-42553 MEDIUM

CVE-2021-42553: STM32 USB Host Library Buffer Overflow

Vendor Stmicroelectronics Stm32Cube
Product STM32 USB Host Library
Published October 21, 2022
Last update May 7, 2025

CVSS base score

6.8/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A buffer overflow vulnerability in stm32_mw_usb_host of STMicroelectronics in versions before 3.5.1 allows an attacker to execute arbitrary code when the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS. The library is typically integrated when using a RTOS such as FreeRTOS on STM32 MCUs.

Key dates

02Disclosure timeline

October 21, 2022 CVE published
May 7, 2025 Record updated