Blackberry publicly disclosed that its QNX Real-Time Operating System (RTOS) – a mobile platform frequently employed by remote workers, including government agencies – was affected by the “BadAlloc” vulnerability. BadAlloc is a collection whereby the remote attacker can exploit CVE-2021-22156 to cause a denial-of-service (DOS) or arbitrary code execution attack on various devices.
The CVE-2021-22156 is an integer overflow vulnerability affecting the “calloc()” function in the C runtime library of multiple BlackBerry QNX products. According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), QNX can be used in a range of products with compromises that could result in a malicious actor gaining control of sensitive systems, including those that pose risk to critical government functions.
CISA noted that it is not aware of any active exploitations.
The agency recommends that critical infrastructure organizations and other groups developing, maintaining, supporting or using affected systems apply the appropriate patch(es) “as quickly as possible.” Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
Additional information is available via CISA’s website.