CVE-2021-22156
published 2021-08-17CVE-2021-22156: An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP)…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.80%
75.7th percentile
An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blackberry | qnx_os_for_medical | <= 1.1.1 | — |
| blackberry | qnx_os_for_safety | <= 1.0.2 | — |
| blackberry | qnx_software_development_platform | < 6.5.0 | 6.5.0 |
| blackberry | qnx_software_development_platform | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Multiple RTOS (Update E)
cisa_ics·2021-11-30
Multiple RTOS (Update E)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Multiple RTOS (Update E)
Last RevisedApril 19, 2022
Alert CodeICSA-21-119-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendors: Multiple
- Equipment: Multiple
- Vulnerabilities: Integer Overflow or Wraparound
CISA is aware of a public report, known as “BadAlloc” that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and oth
Cisco
BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021
vendor_cisco·2021-08-18·CVSS 9.8
CVE-2021-22156 [CRITICAL] CWE-190 BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021
BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021
On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability in the following BlackBerry software releases:
QNX Software Development Platform (SDP) – 6.5.0SP1 and earlier
QNX OS for Medical – 1.1 and earlier
QNX OS for Safety – 1.0.1 and earlier
A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS).
For a description of this vulnerability, see QNX-2021-001.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL
Cisco
BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021
vendor_cisco·CVSS 3.1
CVE-2021-22156 BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021
CVE-2021-22156: BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021
On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001 , that disclosed an integer overflow vulnerability in the following BlackBerry software releases: QNX Software Development Platform (SDP) - 6.5.0SP1 and earlier QNX OS for Medical - 1.1 and earlier QNX OS for Safety - 1.0.1 and earlier A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS). For a description of this vulnerability, see QNX-2021-001 . This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL
CVSS: 3.1
CWE: CWE-190, CWE-190
Bug IDs: CSCvz34866, CSCvz34865, CSCvz34871, CSCv
GHSA
GHSA-x456-hhph-f575: An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platf
ghsa_unreviewed·2022-05-24
CVE-2021-22156 [CRITICAL] CWE-190 GHSA-x456-hhph-f575: An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platf
An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://support.blackberry.com/kb/articleDetail?articleNumber=000082334https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdLhttps://support.blackberry.com/kb/articleDetail?articleNumber=000082334https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL
2021-08-17
Published