Vulnerability in ThreadX WiFi firmware

Within a very popular firmware (ThreadX) for WiFi chips, a vulnerability has been discovered that allows remote code execution. This exposes billions of devices to a security risk.


An entry at outlines the problem: The vulnerability exposes notebooks, routers, smartphones, game consoles, IoT devices and more to a security risk. Both ZDNet and Bleeping Computer reporting on this case.

A vulnerability allowing remote code execution was found in the firmware of ThreadX, a real-time operating system (RTOS). Developed by Express Logic, the vendor claims on its website that ThreadX has over 6.2 billion implementations, making it one of the most popular software solutions for Wi-Fi chips.

The firmware also supports the Avastar 88W8897 SoC (Wi-Fi + Bluetooth + NFC) chip from Marvell, which is included in the Sony PlayStation 4 (and its Pro version), the Microsoft Surface (+Pro) tablet and laptop, the Xbox One, Samsung Chromebook and smartphones (Galaxy J1) as well as Valve SteamLink.

The vulnerability was discovered by Embedi researcher Denis Selianin. He has taken a security audit on the firmware because of its popularity. Selianin claims to have found a total of four memory corruption vulnerabilities in parts of the firmware. "One of the vulnerabilities discovered was a special case of the ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scan for available networks," said the researcher.

The researcher states that the firmware function for scanning for new WiFi networks starts automatically every five minutes and makes the exploitation of vulnerabilities trivial. All an attacker has to do is send deformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait for the function to start to execute malicious code and take over the device.


"That's why this bug is so cool and offers the ability to literally exploit devices with zero-click interaction in any state of wireless connectivity (even if a device is not connected to a network)," Selianin said.

On ZDNet a video showing an attack is embedded within the article. The proof-of-concept code was not published by the security researcher for obvious reasons. Patches to close the vulnerabilities are in progress.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *