Critical RCE vulnerability in BlackBerry QNX SDP and QNX OS

Cybersecurity specialists revealed the detection of a critical flaw in BlackBerry QNX SDP, an advanced software that provides a complete development environment for devices and systems based on QNX Neutrino. According to the developers’ report, successful exploitation of this flaw would compromise the affected system completely.

Tracked as CVE-2021-22156, this flaw was described as an integer overflow in the “calloc()” function in the C run-time library. Remote threat actors could pass specially crafted data to the affected application in order to trigger an integer overflow.

The vulnerability received a score of 8.8/10 according to the Common Vulnerability Scoring System (CVSS) and its successful exploitation would allow arbitrary code execution on the affected systems.

According to the report, the flaw lies in the following implementations:

  • BlackBerry QNX SDP: 6.5.0SP1
  • QNX OS for Medical: 1.1
  • QNX OS for Safety: 1.0.1

While the vulnerability can be exploited by unauthenticated threat actors, no exploit attempts have been detected in the wild so far. However, users of affected deployments are encouraged to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.