CVE-2024-48857

High

Published: 14 January 2025

Published

14 January 2025

Modified

21 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0056 68.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

NULL pointer dereference in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec.

Security Summary

CVE-2024-48857 is a NULL pointer dereference vulnerability (CWE-476) in the PCX image codec of QNX Software Development Platform (SDP) versions 8.0, 7.1, and 7.0. Published on January 14, 2025, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact.

An unauthenticated attacker can exploit this flaw remotely with low attack complexity and no privileges or user interaction required. Exploitation triggers a denial-of-service condition within the context of the process utilizing the image codec, potentially crashing the application without affecting confidentiality or integrity.

Security practitioners should consult the BlackBerry advisory at https://support.blackberry.com/pkb/s/article/140334 for details on patches and mitigation recommendations.

Details

CWE(s): CWE-476

Affected Products

blackberry

qnx software development platform

7.0, 7.1, 8.0

References

https://support.blackberry.com/pkb/s/article/140334
Vendor Advisory · secure@blackberry.com