CVE-2024-48858

High

Published: 14 January 2025

Published

14 January 2025

Modified

01 December 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0034 56.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48858 is a high-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Blackberry Qnx Software Development Platform. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly requires validation of information inputs like PCX images to prevent crashes from malformed data exploiting improper input validation.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of identified flaws such as this improper input validation vulnerability in the QNX PCX codec.

SC-5 Denial-of-service Protection partial match

preventdetect

SC-5 protects against and detects denial-of-service events triggered by remote exploitation of the PCX codec input flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of input validation flaw in image codec directly enables application crash/DoS, matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper input validation in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec.

Deeper analysisAI

CVE-2024-48858 is an improper input validation vulnerability (CWE-1287) in the PCX image codec of QNX SDP versions 8.0, 7.1, and 7.0. Published on 2025-01-14, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact availability disruption without affecting confidentiality or integrity.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. Exploitation triggers a denial-of-service condition within the context of the process using the PCX image codec, potentially crashing the affected application.

Blackberry has published an advisory with mitigation guidance at https://support.blackberry.com/pkb/s/article/140334.

Details

CWE(s): CWE-1287

Affected Products

blackberry

qnx software development platform

7.0, 7.1, 8.0

CVEs Like This One

CVE-2024-48857Same product: Blackberry Qnx Software Development Platform

CVE-2024-48856Same product: Blackberry Qnx Software Development Platform

CVE-2024-48855Same product: Blackberry Qnx Software Development Platform

CVE-2024-48854Same product: Blackberry Qnx Software Development Platform

CVE-2025-20251Shared CWE-1287

CVE-2026-2454Shared CWE-1287

CVE-2026-20074Shared CWE-1287

CVE-2025-20630Shared CWE-1287

CVE-2025-20621Shared CWE-1287

CVE-2026-29645Shared CWE-1287

References

https://support.blackberry.com/pkb/s/article/140334
Vendor Advisory · secure@blackberry.com