- These are my top 15 favorite Memorial Day lawn and outdoor deals right now
- My favorite Memorial Day TV deals 2025: Save up to $5,000 on big-screen TVs
- I'm a laptop expert, and these are the Memorial Day laptop deals I'd grab this weekend
- I'm an audio expert and these are the Memorial Day headphone deals I'd recommend to my friends and family
- I'm a health tech expert and these are the Memorial Day sales fitness enthusiasts should pick up
CISA Urges Organizations to Patch Critical BlackBerry QNX Bug
A vulnerability in BlackBerry’s QNX Real-Time Operating System (RTOS) could pose a serious security risk to critical infrastructure providers, the US government has warned.
Microsoft first discovered the so-called “BadAlloc” flaws in April. These remote code execution (RCE) bugs cover over 25 CVEs and take the form of integer overflow or wraparound vulnerabilities, it said at the time.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that the QNX RTOS is vulnerable to one of them, CVE-2021-22156, potentially enabling an attacker to perform denial-of-service or remotely control sensitive systems. It has a CVSS score of 9.0, marking it as “critical.”
Although no current reports suggest the bug has been exploited in the wild, CISA urged any organizations “developing, maintaining, supporting, or using” affected systems to patch immediately.
The issue is more urgent given the widespread deployment of QNX in critical infrastructure. BlackBerry claims that the RTOS “is trusted in more than 195 million vehicles” and embedded in systems across “aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail and robotics.”
The US Food and Drug Administration has also issued a bulletin, claiming that medical device manufacturers are currently assessing and working to mitigate the vulnerability.
It has been reported that BlackBerry officials first denied that BadAlloc affected their software and then chose not to go public with the news when the flaws were first revealed several months ago.
However, this stance changed after the firm concluded that it could not identify all affected downstream customers that may be using the RTOS via OEM-ed products, according to Politico.
“Software supply chain issues are main stage now, and are the gateway drug to extortion, ransomware, and botnets,” argued BreachQuest CISO, AJ King.
“It’s always better to take early, proactive measures to show your consumers that you’re doing everything in your power to keep their data — and in this case their physical security — safe.”
