CVE-2024-48854

Medium

Published: 14 January 2025

Published

14 January 2025

Modified

21 January 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0046 64.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48854 is a medium-severity Off-by-one Error (CWE-193) vulnerability in Blackberry Qnx Software Development Platform. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the off-by-one error by requiring timely remediation of known flaws in the TIFF image codec through patching as advised by the vendor.

SI-16 Memory Protection good match

prevent

Implements memory protection techniques to prevent unauthorized disclosure of information from memory leaks caused by the off-by-one error during TIFF processing.

SI-10 Information Input Validation partial match

prevent

Validates TIFF image inputs to detect and reject malformed files that could trigger the off-by-one error leading to information disclosure.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated network exploitation of image codec for information disclosure directly maps to public-facing application exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Off-by-one error in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec.

Deeper analysisAI

CVE-2024-48854 is an off-by-one error (CWE-193) in the TIFF image codec within QNX SDP versions 8.0, 7.1, and 7.0. Published on 2025-01-14, this vulnerability enables an unauthenticated attacker to cause information disclosure in the context of the process using the image codec. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. Exploitation triggers the off-by-one error during TIFF image processing, potentially leaking sensitive data from the memory space of the affected process.

Mitigation details are provided in the BlackBerry advisory at https://support.blackberry.com/pkb/s/article/140334. Security practitioners should consult this reference for patch availability and recommended remediation steps for affected QNX SDP deployments.