CVE-2021-22156

Name of the Vulnerable Software and Affected Versions BlackBerry QNX Software Development Platform (SDP) versions 6.5.0SP1 and earlier BlackBerry QNX OS for Medical versions 1.1 and earlier BlackBerry QNX OS for Safety versions 1.0.1 and earlier

Description The issue is related to an integer overflow vulnerability in the calloc() function of the C runtime library. This vulnerability could allow a remote attacker to potentially perform a denial of service or execute arbitrary code on affected devices. The vulnerability affects over 200 million vehicles and thousands of industrial control systems in various strategic industries, including medicine and others. Although there is no confirmed active exploitation of this vulnerability, there is concern that it could be exploited, leading to significant consequences.

Recommendations For BlackBerry QNX Software Development Platform (SDP) versions 6.5.0SP1 and earlier: Update to a version that includes the fix for the integer overflow vulnerability in the calloc() function. For BlackBerry QNX OS for Medical versions 1.1 and earlier: Update to a version that includes the fix for the integer overflow vulnerability in the calloc() function. For BlackBerry QNX OS for Safety versions 1.0.1 and earlier: Update to a version that includes the fix for the integer overflow vulnerability in the calloc() function. As a temporary workaround, consider restricting access to the calloc() function until a patch is available. Note: According to BlackBerry, there are no workarounds for this vulnerability, but users can reduce the possibility of an attack by following the recommended measures and local updates.