BadAlloc Vulnerability Affecting BlackBerry QNX RTOS

On August 17, 2021, BlackBerry publicly disclosed that its QNX Serious Time Operating Procedure (RTOS) is impacted by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a selection of vulnerabilities impacting multiple RTOSs and supporting libraries.[1] A distant attacker could exploit CVE-2021-22156 to lead to a denial-of-assistance issue or execute arbitrary code on influenced equipment.[2] BlackBerry QNX RTOS is made use of in a broad vary of items whose compromise could outcome in a malicious actor getting regulate of really sensitive programs,  escalating threat to the Nation’s significant capabilities. Note: at this time, CISA is not conscious of lively exploitation of this vulnerability.

CISA strongly encourages critical infrastructure organizations and other business producing, keeping, supporting, or using affected QNX-based mostly devices, to patch influenced items as swiftly as achievable. Refer to the Mitigations section for much more data about patching.

CVE-2021-22156 is an integer overflow vulnerability affecting the calloc() purpose in the C runtime library of various BlackBerry QNX items. Exploitation of this vulnerability could lead to a denial-of-provider situation or arbitrary code execution in influenced devices. To exploit this vulnerability, an attacker have to have control over the parameters to a calloc() operate contact and the capability to handle what memory is accessed right after the allocation. An attacker with community access could remotely exploit this vulnerability if the vulnerable products is jogging and the impacted unit is exposed to the internet.[3]

CVE-2021-22156 is aspect of a selection of integer overflow vulnerabilities, identified as BadAlloc, which have an affect on a wide range of industries using Online of Matters (IoT), and operational engineering (OT)/industrial control programs (ICS) products. See CISA ICS Advisory ICSA-21-119-04 and Microsoft’s BadAlloc blog site article for much more information and facts.

All BlackBerry systems with dependency on the C runtime library are afflicted by this vulnerability (see table 1 for a record of impacted BlackBerry QNX merchandise). Due to the fact a lot of influenced gadgets involve safety-important devices, exploitation of this vulnerability could final result in a destructive actor getting regulate of delicate programs, quite possibly foremost to enhanced danger of hurt to infrastructure or critical capabilities.

Table 1: Influenced BlackBerry QNX Products [4]
Solution Impacted Variation
 QNX SDP  6.5.0SP1, 6.5.,  6.4.1, 6.4.
 QNX Momentics Growth Suite  6.3.2
 QNX Momentics 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3., 6.2.1b, 6.2.1, 6.2.1A, 6.2.
 QNX Realtime Platform  6.1.0a, 6.1., 6..0a, 6..
 QNX Cross Improvement Kit  6.., 6.1.
 QNX Enhancement Package (Self-hosted)  6.., 6.1.
 QNX Neutrino RTOS Harmless Kernel  1.
 QNX Neutrino RTOS Certified As well as  1.
 QNX Neutrino RTOS for Professional medical Equipment  1., 1.1
 QNX OS for Automotive Protection  1.
 QNX OS for Basic safety  1., 1..1
 QNX Neutrino Safe Kernel  6.4., 6.5.
 QNX Automobile Advancement Platform  2.0RR


CISA strongly encourages critical infrastructure organizations and other businesses establishing, preserving, supporting, or utilizing influenced QNX-primarily based programs to patch impacted items as immediately as doable.

  • Companies of merchandise that incorporate susceptible variations should make contact with BlackBerry to get hold of the patch.
  • Producers of goods who produce unique versions of RTOS software program must get hold of BlackBerry to get hold of the patch code. Notice: in some scenarios, manufacturers may want to build and check their own software package patches.
  • Close consumers of safety-significant methods need to make contact with the producer of their item to get a patch. If a patch is offered, people should implement the patch as soon as doable. If a patch is not readily available, customers should apply the manufacturer’s recommended mitigation steps right until the patch can be used.
    • Observe: set up of software package updates for RTOS frequently could require taking the device out of service or to an off-web site place for actual physical alternative of built-in memory.


Fibo Quantum