CVE-2024-48855

Medium

Published: 14 January 2025

Published

14 January 2025

Modified

21 January 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0046 64.4th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48855 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Blackberry Qnx Software Development Platform. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds read vulnerability in the QNX SDP TIFF image codec through timely application of vendor-provided patches.

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted TIFF image inputs to ensure structural integrity and bounds checking, preventing malformed images from triggering out-of-bounds reads.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards like address space layout randomization and isolation to limit the scope and usability of information disclosed via out-of-bounds reads in the affected process.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote network-exploitable out-of-bounds read in image codec directly maps to remote application exploitation for information disclosure.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Out-of-bounds read in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec.

Deeper analysisAI

CVE-2024-48855 is an out-of-bounds read vulnerability (CWE-125) in the TIFF image codec within QNX SDP versions 8.0, 7.1, and 7.0. Published on January 14, 2025, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity primarily due to low-impact confidentiality loss.

An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity, no user interaction, and no privileges. Exploitation triggers an out-of-bounds read, potentially allowing disclosure of sensitive information from the memory context of the process using the TIFF image codec.

The BlackBerry advisory at https://support.blackberry.com/pkb/s/article/140334 provides details on mitigation and patches for affected QNX SDP versions.