The USA’s CISA and Blackberry simultaneously announced the vulnerability of Blackberry’s QNX division’s Real Time Operating System (RTOS) products to CVE-2021-22156, the so called “Bad Alloc” vulnerability in RTOS products that was recently disclosed. The vulnerability allows for an overflow attack in services that utilize the calloc() function, which would allow for denial of service or remote code execution (RCE). QNX was a major acquisition by the iconic handheld device company Blackberry and specializes in providing RTOS to a wide range of embedded devices and applications. Any RTOS that has not yet been updated to the latest version and patched is vulnerable. These include over 195 million vehicle systems as well as a wide range of medical devices, industrial control systems (ICS), and other embedded devices.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is