Quote:The potential danger from a raft of memory-allocation bugs discovered by Microsoft in April has now spread to older versions of multiple BlackBerry QNX products.
 
The Cybersecurity Infrastructure and Security Agency (CISA) and BlackBerry warned in separate alerts Tuesday that threat actors can take over or launch denial of service attacks on devices and critical infrastructure by exploiting what are called BadAlloc bugs tied to BlackBerry’s QNX operating system (OS).
 
QNX is a real-time OS, used in embedded systems such as automobiles, medical devices and handsets. BlackBerry acquired the OS in 2010 when it bought Quantum Software Systems. Industries and devices using the affected QNX OS include aerospace and defense, heavy machinery, rail, robotics, industrial controls and medical devices. BlackBerry boasted in 2019  QNX is embedded in the infotainment systems of 150 million vehicles ranging from Audi, Ford, Kia and Volkswagen.
 
BadAlloc, tracked as CVE-2021-22156, is the name Microsoft’s Section 52 research group gave to 25 critical memory-allocation vulnerabilities discovered in April that at the time were believed to affect myriad vendors’ IoT and industrial devices.
 
“BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the nation’s critical functions,” according to the CISA’s advisory.