Cyber Resilience

CVE-2025-2474

Critical

Published: 10 June 2025

Published
10 June 2025
Modified
01 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0111 78.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2474 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Blackberry Qnx Software Development Platform. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an out-of-bounds write (CWE-787) in the PCX image codec present in QNX SDP versions 8.0, 7.1, and 7.0. It carries a CVSS 3.1 base score of 9.8 and affects any process that invokes the codec to handle PCX images.

An unauthenticated network attacker can supply a malicious PCX file to trigger the flaw, resulting in a denial-of-service condition or arbitrary code execution within the context of the affected process. No authentication, user interaction, or special privileges are required.

The official advisory published by BlackBerry at https://support.blackberry.com/pkb/s/article/140646 addresses mitigation steps and available patches for the listed QNX SDP releases. The associated EPSS score remains low and unchanged at 0.0111, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Out-of-bounds write in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition or execute code in the context of the process using the image codec.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

blackberry
qnx software development platform
7.0, 7.1, 8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References