BadAlloc Might Pose Risk to More Than One Hundred Million Vehicles


AutoThreat Product Manager & Team Lead

We are constantly monitoring cyber incidents in the mobility landscape as part of our commitment to make mobility more safe and secure for everyone. With the industry’s tremendous growth in connectivity and the consequent growth of attack vectors, we anticipate that a major event in the near future will break the rules and dramatically change our world.


Recently, a case with this kind of watershed potential came to light with BlackBerry’s revelation of a potential vulnerability in its widely-deployed QNX operating system. The unique features of this case prove that the idea of single threat rewriting everything we know about mobility is not far-fetched: single events or exploitations can have tremendous power to impact the entire connected car industry. In this article, we outline the features we believe lend this vulnerability world-shaking potential, and recommend steps for mitigating the potential risks posed by this vulnerability and other cases like it.


The BadAlloc Vulnerability and Its Impact on the Automotive Industry

BlackBerry announced that one of its most popular products, the QNX operating system, contains a high-level risk security vulnerability. This vulnerability, named BadAlloc (CVE-2021-22156, CVSS Score 9.0), can be exploited remotely and allows an attacker to perform a denial of service (DOS) attack or execute malicious commands on the affected device.


BadAlloc is a memory allocation vulnerability that exists in various standard allocation functions. Researchers have found that over the years, memory allocation implementations haven’t incorporated proper input validations, thus enabling threat actors to exploit the memory allocation vulnerability, inject malicious data, and execute remote commands on the affected device.

This vulnerability should concern the mobility industry considering QNX’s use in a broad range of vehicles. According to BlackBerry, QNX software is used by several OEMs and Tier ones including Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota, and Volkswagen. Overall, the operating system is deployed in more than 195 million vehicles on the road.

This case has unprecedented red flag features when compared to previously uncovered mobility-related vulnerabilities:

  • A single set of vulnerabilities potentially impacts hundreds of millions of vehicles manufactured by different companies.
  • This vulnerability is categorized as an extremely high-level risk vulnerability that can be utilized to gain control of a vehicle’s systems.

If a threat were introduced to this system, which is a mutual key component in the BOM of legions of vehicles, its immensity could not be overstated. As such, the industry must take steps to ensure that vehicles and infrastructure utilizing the QNX OS will shore up opportunities for threat actors to exploit the BadAlloc vulnerability.

AutoThreat® Intelligence Mitigation Recommendations

First and foremost, relevant stakeholders must ensure that all QNX-based components are running the newest and most updated software version (a guide and technical information can be found in BlackBerry’s Security Advisory). In addition, CISA published mitigation advice for Manufacturers and End Users.

Upstream recommends keeping track of these severe vulnerabilities, especially in case an exploit is being discovered. Upstream’s AutoThreat®Intelligence includes a dedicated vulnerability section for the mobility landscape that keeps our customers updated and focused on the most consequential matters impacting mobility safety and security today. When a new vulnerability is uncovered, AutoThreat®’s component mapping dashboard enables its users to discover which OEMs and car models have been affected, and manage the risks and mitigation steps accordingly.

Potentially Affecting More Than 195 Million Vehicles and Various OEMs
Newsletter Icon

Upstream’s 2023 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Sign up to receive updates delivered to your inbox

Follow the Data: Connected Vehicles & Beyond

Automotive OEMs executives deal every day with at least four strategic challenges: Reputational risk limitation Regulatory compliance Recall costs minimisation Reliability of service and customer…

Read more

The Future of Fleet Security: Are Autonomous Vehicles Secure?

In recent years, the delivery industry has seen a significant shift towards electrification and autonomous vehicles in an effort to streamline services and improve efficiency.…

Read more

The Race to Autonomous Mobility May Be Slowed Down by Hackers

Electric-driven and fully autonomous mobility services have the potential to solve some of the world’s biggest transportation challenges. They are bound to revolutionize the automotive…

Read more

The Power Grid Must Be Protected, But Are EV Charging Stations Secure?

The widespread adoption of electric vehicles (EVs) depends on a robust and reliable network of charging stations. However, as the number of EVs on the…

Read more