Cyber Resilience

CVE-2024-48857

High

Published: 14 January 2025

Published
14 January 2025
Modified
21 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0056 68.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48857 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Blackberry Qnx Software Development Platform. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-48857 is a NULL pointer dereference vulnerability (CWE-476) in the PCX image codec of QNX Software Development Platform (SDP) versions 8.0, 7.1, and 7.0. Published on January 14, 2025, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact.

An unauthenticated attacker can exploit this flaw remotely with low attack complexity and no privileges or user interaction required. Exploitation triggers a denial-of-service condition within the context of the process utilizing the image codec, potentially crashing the application without affecting confidentiality or integrity.

Security practitioners should consult the BlackBerry advisory at https://support.blackberry.com/pkb/s/article/140334 for details on patches and mitigation recommendations.

EU & UK References

Vulnerability details

NULL pointer dereference in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in image codec directly enables remote application DoS via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-48858Same product: Blackberry Qnx Software Development Platform
CVE-2024-48856Same product: Blackberry Qnx Software Development Platform
CVE-2024-48854Same product: Blackberry Qnx Software Development Platform
CVE-2024-48855Same product: Blackberry Qnx Software Development Platform
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476

Affected Assets

blackberry
qnx software development platform
7.0, 7.1, 8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the NULL pointer dereference vulnerability in the QNX PCX image codec by identifying, prioritizing, and applying patches from the BlackBerry advisory.

prevent

Validates PCX image inputs from untrusted sources to block malformed files that trigger the NULL pointer dereference and process crash.

prevent

Implements secure error handling in the image codec to gracefully manage NULL pointer conditions without causing denial-of-service crashes.

References