CVE-2025-2474
Published: 10 June 2025
Summary
CVE-2025-2474 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Blackberry Qnx Software Development Platform. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an out-of-bounds write (CWE-787) in the PCX image codec present in QNX SDP versions 8.0, 7.1, and 7.0. It carries a CVSS 3.1 base score of 9.8 and affects any process that invokes the codec to handle PCX images.
An unauthenticated network attacker can supply a malicious PCX file to trigger the flaw, resulting in a denial-of-service condition or arbitrary code execution within the context of the affected process. No authentication, user interaction, or special privileges are required.
The official advisory published by BlackBerry at https://support.blackberry.com/pkb/s/article/140646 addresses mitigation steps and available patches for the listed QNX SDP releases. The associated EPSS score remains low and unchanged at 0.0111, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-17750
Vulnerability details
Out-of-bounds write in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition or execute code in the context of the process using the image codec.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.