BadAlloc Might Pose Risk to More Than One Hundred Million Vehicles


AutoThreat Product Manager & Team Lead

August 25, 2021

We are constantly monitoring cyber incidents in the mobility landscape as part of our commitment to make mobility more safe and secure for everyone. With the industry’s tremendous growth in connectivity and the consequent growth of attack vectors, we anticipate that a major event in the near future will break the rules and dramatically change our world.


Recently, a case with this kind of watershed potential came to light with BlackBerry’s revelation of a potential vulnerability in its widely-deployed QNX operating system. The unique features of this case prove that the idea of single threat rewriting everything we know about mobility is not far-fetched: single events or exploitations can have tremendous power to impact the entire connected car industry. In this article, we outline the features we believe lend this vulnerability world-shaking potential, and recommend steps for mitigating the potential risks posed by this vulnerability and other cases like it.


The BadAlloc Vulnerability and Its Impact on the Automotive Industry

BlackBerry announced that one of its most popular products, the QNX operating system, contains a high-level risk security vulnerability. This vulnerability, named BadAlloc (CVE-2021-22156, CVSS Score 9.0), can be exploited remotely and allows an attacker to perform a denial of service (DOS) attack or execute malicious commands on the affected device.


BadAlloc is a memory allocation vulnerability that exists in various standard allocation functions. Researchers have found that over the years, memory allocation implementations haven’t incorporated proper input validations, thus enabling threat actors to exploit the memory allocation vulnerability, inject malicious data, and execute remote commands on the affected device.

This vulnerability should concern the mobility industry considering QNX’s use in a broad range of vehicles. According to BlackBerry, QNX software is used by several OEMs and Tier ones including Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota, and Volkswagen. Overall, the operating system is deployed in more than 195 million vehicles on the road.

This case has unprecedented red flag features when compared to previously uncovered mobility-related vulnerabilities:

  • A single set of vulnerabilities potentially impacts hundreds of millions of vehicles manufactured by different companies.
  • This vulnerability is categorized as an extremely high-level risk vulnerability that can be utilized to gain control of a vehicle’s systems.

If a threat were introduced to this system, which is a mutual key component in the BOM of legions of vehicles, its immensity could not be overstated. As such, the industry must take steps to ensure that vehicles and infrastructure utilizing the QNX OS will shore up opportunities for threat actors to exploit the BadAlloc vulnerability.

AutoThreat® Intelligence Mitigation Recommendations

First and foremost, relevant stakeholders must ensure that all QNX-based components are running the newest and most updated software version (a guide and technical information can be found in BlackBerry’s Security Advisory). In addition, CISA published mitigation advice for Manufacturers and End Users.

Upstream recommends keeping track of these severe vulnerabilities, especially in case an exploit is being discovered. Upstream’s AutoThreat®Intelligence includes a dedicated vulnerability section for the mobility landscape that keeps our customers updated and focused on the most consequential matters impacting mobility safety and security today. When a new vulnerability is uncovered, AutoThreat®’s component mapping dashboard enables its users to discover which OEMs and car models have been affected, and manage the risks and mitigation steps accordingly.

Potentially Affecting More Than 195 Million Vehicles and Various OEMs
Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Mike Lexa Joins Upstream Security Advisory Board to Accelerate Cybersecurity Resilience in the Automotive & Mobility IoT Sector

The mobility ecosystem is experiencing a profound digital transformation. The increasing reliance on mobility services and Internet of Things (IoT) devices is not just reshaping…

Read more

7 Key Financial Implications of Automotive Cybersecurity Risks

In June 2023, a leading Taiwan-based semiconductor manufacturer disclosed a cybersecurity incident involving a ransomware group and one of its IT hardware suppliers, which led…

Read more

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more