Security Experts:

Connect with us

Hi, what are you looking for?



BadAlloc Flaw Impacts Many Systems Running BlackBerry’s QNX Embedded OS

BlackBerry this week informed customers that the QNX embedded operating system is affected by a BadAlloc vulnerability leading to arbitrary code execution or denial of service.

BlackBerry this week informed customers that the QNX embedded operating system is affected by a BadAlloc vulnerability leading to arbitrary code execution or denial of service.

Publicly disclosed in April, BadAlloc is a collection of 25 vulnerabilities impacting many Internet of Things (IoT) and operational technology (OT) devices. The flaws can allow malicious attackers to gain control of highly sensitive systems.

The issue affects C standard library (libc) implementations, real-time operating systems (RTOS), and embedded software development kits (SDKs), and could be exploited to execute arbitrary code or cause systems to crash.

On Tuesday, BlackBerry revealed that the QNX RTOS is affected by a BadAlloc vulnerability tracked as CVE-2021-22156 (CVSS score of 9.0). The flaw, an integer overflow bug, impacts the C runtime library present in various BlackBerry QNX products.

“In order to exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation. To remotely exploit this vulnerability, an attacker would require network access and the devices would need to have a vulnerable service running and exposed,” BlackBerry explains.

QNX, the company says, is used in more than 195 million vehicles, as well as in embedded systems in industries such as aerospace, automotive, defense, industrial controls, and medical, among others.

According to BlackBerry, the issue affects QNX Software Development Platform (SDP) 6.5.0SP1 and earlier versions, QNX for Safety versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262, and QNX for Medical versions 1.1 and earlier safety products compliant with IEC 62304. The company has published a list of affected products.

BlackBerry has released software updates to patch the vulnerabilities, urging all QNX SDP, QNX OS for Safety, and QNX OS for Medical customers to update their products immediately.

Available mitigations include ensuring that all unused ports are blocked, that network segmentation is implemented, and that best practices for vulnerability scanning and intrusion detection are followed. However, no workarounds exist for the vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA), which notes that the impact of the BadAlloc vulnerability should not be underestimated, encourages organizations using affected QNX-based systems, including critical infrastructure entities, to apply the available patches as soon as possible.

“Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions,” CISA says.

Related: Millions of IoT Devices Exposed to Attacks Due to Cloud Platform Vulnerability

Related: Devices From Many Vendors Can Be Hacked Remotely Due to Flaws in Realtek SDK

Related: August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...