BadAlloc Might Pose Risk to More Than One Hundred Million Vehicles


AutoThreat Product Manager & Team Lead

We are constantly monitoring cyber incidents in the mobility landscape as part of our commitment to make mobility more safe and secure for everyone. With the industry’s tremendous growth in connectivity and the consequent growth of attack vectors, we anticipate that a major event in the near future will break the rules and dramatically change our world.


Recently, a case with this kind of watershed potential came to light with BlackBerry’s revelation of a potential vulnerability in its widely-deployed QNX operating system. The unique features of this case prove that the idea of single threat rewriting everything we know about mobility is not far-fetched: single events or exploitations can have tremendous power to impact the entire connected car industry. In this article, we outline the features we believe lend this vulnerability world-shaking potential, and recommend steps for mitigating the potential risks posed by this vulnerability and other cases like it.


The BadAlloc Vulnerability and Its Impact on the Automotive Industry

BlackBerry announced that one of its most popular products, the QNX operating system, contains a high-level risk security vulnerability. This vulnerability, named BadAlloc (CVE-2021-22156, CVSS Score 9.0), can be exploited remotely and allows an attacker to perform a denial of service (DOS) attack or execute malicious commands on the affected device.


BadAlloc is a memory allocation vulnerability that exists in various standard allocation functions. Researchers have found that over the years, memory allocation implementations haven’t incorporated proper input validations, thus enabling threat actors to exploit the memory allocation vulnerability, inject malicious data, and execute remote commands on the affected device.

This vulnerability should concern the mobility industry considering QNX’s use in a broad range of vehicles. According to BlackBerry, QNX software is used by several OEMs and Tier ones including Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota, and Volkswagen. Overall, the operating system is deployed in more than 195 million vehicles on the road.

This case has unprecedented red flag features when compared to previously uncovered mobility-related vulnerabilities:

  • A single set of vulnerabilities potentially impacts hundreds of millions of vehicles manufactured by different companies.
  • This vulnerability is categorized as an extremely high-level risk vulnerability that can be utilized to gain control of a vehicle’s systems.

If a threat were introduced to this system, which is a mutual key component in the BOM of legions of vehicles, its immensity could not be overstated. As such, the industry must take steps to ensure that vehicles and infrastructure utilizing the QNX OS will shore up opportunities for threat actors to exploit the BadAlloc vulnerability.

AutoThreat® Intelligence Mitigation Recommendations

First and foremost, relevant stakeholders must ensure that all QNX-based components are running the newest and most updated software version (a guide and technical information can be found in BlackBerry’s Security Advisory). In addition, CISA published mitigation advice for Manufacturers and End Users.

Upstream recommends keeping track of these severe vulnerabilities, especially in case an exploit is being discovered. Upstream’s AutoThreat®Intelligence includes a dedicated vulnerability section for the mobility landscape that keeps our customers updated and focused on the most consequential matters impacting mobility safety and security today. When a new vulnerability is uncovered, AutoThreat®’s component mapping dashboard enables its users to discover which OEMs and car models have been affected, and manage the risks and mitigation steps accordingly.

Potentially Affecting More Than 195 Million Vehicles and Various OEMs
Newsletter Icon

to our newsletter

Sign up to receive updates delivered to your inbox

By clicking Subscribe, I agree to the use of my personal data in accordance with Privacy Policy. Upstream will not sell, trade, lease, or rent your personal data to third parties.

Cybersecurity for Connected Vehicles: From Cost Centre to Value Centre (Part 2)

This blog is part of a series on the monetization of connected vehicles through cloud-based agentless cybersecurity tools, written by Ric Vicari, Upstream’s UK-based VP…

Read more

Cybersecurity for Connected Vehicles: From Cost Centre to Value Centre (Part 1)

This blog is part of a series on the monetization of connected vehicles through cloud-based agentless cybersecurity tools, written by Ric Vicari, Upstream’s UK-based VP…

Read more

Keeping Commercial Vehicles Rolling Amidst Climbing Cyber Threats

Today’s rising cybersecurity threats are not enough to break the will of the most advanced fleets- but they are enough to impact logistics. The last…

Read more

90 Days with Upstream: From “Project Beacon” to “Data-driven Cybersecurity”

Having just completed my first 90 days in the cybersecurity domain, I feel it’s important to share a few reflections on market opportunities and risks…

Read more