Skip to main content

QNX Neutrino CVE-2026-4017

| EUVDEUVD-2026-44320 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-07-14 blackberry GHSA-8422-84vm-vcr2
7.4
CVSS 3.1 · Vendor: blackberry
Share

Severity by source

Vendor (blackberry) PRIMARY
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.4 HIGH

Reachable only via local syscall so AV:L; overflow depends on memory layout so AC:H; any unprivileged local process can call TraceEvent() so PR:N; kernel-context corruption gives full C/I/A.

3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (blackberry).

CVSS VectorVendor: blackberry

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 21:54 vuln.today
CVE Published
Jul 14, 2026 - 17:25 cve.org
HIGH 7.4

DescriptionCVE.org

Buffer Overflow in the entry handler of the TraceEvent() system call could allow an attacker with local access to cause information disclosure, data tampering or a crash of the QNX Neutrino kernel.

AnalysisAI

Local information disclosure, data tampering, and denial of service in the BlackBerry QNX Neutrino kernel stems from a stack buffer overflow in the entry handler of the TraceEvent() system call, affecting QNX Software Development Platform, QNX OS for Safety, and QNX OS for Medical. An attacker able to run code on the target can craft malicious TraceEvent() arguments to corrupt kernel stack memory, leaking sensitive kernel data, altering kernel state, or crashing the RTOS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local code execution on QNX device
Delivery
Invoke TraceEvent() syscall
Exploit
Supply oversized crafted arguments
Execution
Overflow kernel stack buffer
Persist
Leak or overwrite kernel memory
Impact
Disclose data, tamper state, or crash kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution on a device running the QNX Neutrino kernel: the attacker must be able to run a process that invokes the TraceEvent() system call and pass it crafted arguments that overflow the entry handler's stack buffer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.4 (High) with vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - a local-only attack vector, high attack complexity, and no privilege requirement, yielding full high impact to confidentiality, integrity, and availability but confined to the vulnerable component (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already gained the ability to run an unprivileged process on a QNX-based device - for example via a compromised application on an automotive infotainment unit or medical device - invokes TraceEvent() with carefully crafted arguments that overflow a fixed-size kernel stack buffer. By tuning the input they read back adjacent kernel memory (information disclosure), overwrite kernel data (tampering), or reliably crash the microkernel (denial of service). …
Remediation Patch available per vendor advisory - consult the BlackBerry support bulletin at https://support.blackberry.com/pkb/s/article/141213 for the fixed releases of QNX Software Development Platform, QNX OS for Safety, and QNX OS for Medical, and apply the vendor-supplied kernel update to affected devices; exact fix version numbers are not stated in the available data and must be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct urgent inventory of all QNX OS for Safety and QNX OS for Medical systems in production, prioritizing medical device and safety-critical applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-2687 HIGH POC
7.8 Jul 12

Stack-based buffer overflow in the bpe_decompress function in (1) BlackBerry QNX Neutrino RTOS through 6.5.0 SP1 and (2)

CVE-2013-2688 MEDIUM POC
5.4 Jul 12

Buffer overflow in phrelay in BlackBerry QNX Neutrino RTOS through 6.5.0 SP1 in the QNX Software Development Platform al

CVE-2025-2474 CRITICAL
9.8 Jun 10

A security vulnerability in the PCX image codec in QNX SDP (CVSS 9.8) that allows an unauthenticated attacker. Critical

CVE-2021-32024 CRITICAL
9.8 Dec 13

A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP version(s) 6.4 to 7.1 could allow an

CVE-2021-22156 CRITICAL
9.8 Aug 17

An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry®

CVE-2020-6932 CRITICAL
9.8 Aug 12

An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Softwa

CVE-2017-3891 CRITICAL
9.6 Nov 14

In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default conf

CVE-2024-35213 CRITICAL
9.0 Jun 11

An improper input validation vulnerability in the SGI Image Codec of QNX SDP version(s) 6.6, 7.0, and 7.1 could allow an

CVE-2019-8998 HIGH
7.8 Jul 12

An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the

CVE-2023-32701 HIGH
7.1 Nov 14

Improper Input Validation in the Networking Stack of QNX SDP version(s) 6.6, 7.0, and 7.1 could allow an attacker to pot

CVE-2026-4018 MEDIUM
6.4 Jul 14

TOCTOU Race Condition in specific trace commands of the TraceEvent() system call could allow an attacker with local acce

CVE-2026-0515 MEDIUM
6.2 Jul 14

Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a cra

Share

CVE-2026-4017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy