Cyber Resilience

CVE-2024-48854

Medium

Published: 14 January 2025

Published
14 January 2025
Modified
21 January 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0063 70.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48854 is a medium-severity Off-by-one Error (CWE-193) vulnerability in Blackberry Qnx Software Development Platform. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-48854 is an off-by-one error (CWE-193) in the TIFF image codec within QNX SDP versions 8.0, 7.1, and 7.0. Published on 2025-01-14, this vulnerability enables an unauthenticated attacker to cause information disclosure in the context of the process using the image codec. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. Exploitation triggers the off-by-one error during TIFF image processing, potentially leaking sensitive data from the memory space of the affected process.

Mitigation details are provided in the BlackBerry advisory at https://support.blackberry.com/pkb/s/article/140334. Security practitioners should consult this reference for patch availability and recommended remediation steps for affected QNX SDP deployments.

EU & UK References

Vulnerability details

Off-by-one error in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation of image codec for information disclosure directly maps to public-facing application exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-48855Same product: Blackberry Qnx Software Development Platform
CVE-2024-48856Same product: Blackberry Qnx Software Development Platform
CVE-2024-48858Same product: Blackberry Qnx Software Development Platform
CVE-2024-48857Same product: Blackberry Qnx Software Development Platform
CVE-2024-10442Shared CWE-193
CVE-2026-49127Shared CWE-193
CVE-2006-10003Shared CWE-193
CVE-2026-48689Shared CWE-193
CVE-2024-57259Shared CWE-193
CVE-2026-28520Shared CWE-193

Affected Assets

blackberry
qnx software development platform
7.0, 7.1, 8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the off-by-one error by requiring timely remediation of known flaws in the TIFF image codec through patching as advised by the vendor.

prevent

Implements memory protection techniques to prevent unauthorized disclosure of information from memory leaks caused by the off-by-one error during TIFF processing.

prevent

Validates TIFF image inputs to detect and reject malformed files that could trigger the off-by-one error leading to information disclosure.

References