CVE-2024-35213 – An improper input validation vulnerability in t... (How to Fix)

Q: What is the severity of CVE-2024-35213?

CVE-2024-35213 has a CVSS score of 9.0 (CRITICAL). An improper input validation vulnerability in the SGI Image Codec of QNX SDP allows attackers to cause denial-of-service or execute arbitrary code by processing malicious SGI image files. This affects QNX SDP versions 6.6, 7.0, and 7.1. Systems using QNX for image processing are vulnerable.

📋 TL;DR

An improper input validation vulnerability in the SGI Image Codec of QNX SDP allows attackers to cause denial-of-service or execute arbitrary code by processing malicious SGI image files. This affects QNX SDP versions 6.6, 7.0, and 7.1. Systems using QNX for image processing are vulnerable.

💻 Affected Systems

Products:

QNX Software Development Platform (SDP)

Versions: 6.6, 7.0, 7.1

Operating Systems: QNX Neutrino RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: Systems using SGI image processing functionality are vulnerable. Embedded systems, automotive, medical devices, and industrial control systems using QNX may be affected.

📦 What is this software?

Qnx Software Development Platform by Blackberry

View all CVEs affecting Qnx Software Development Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise.

🟠

Likely Case

Denial-of-service causing image processing services to crash.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires processing a malicious SGI image file. No public exploit code is available as of the advisory date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from BlackBerry security advisory

Vendor Advisory: https://support.blackberry.com/pkb/s/article/139914

Restart Required: Yes

Instructions:

1. Review BlackBerry security advisory 139914
2. Download appropriate patches for your QNX SDP version
3. Apply patches following vendor instructions
4. Restart affected systems and services

🔧 Temporary Workarounds

Disable SGI Image Processing

all

Remove or disable SGI image codec functionality if not required

# Remove SGI codec libraries if possible
# Disable image processing services using SGI format

Input Validation Filtering

all

Implement strict file type validation before processing SGI images

# Add file signature validation for SGI images
# Reject malformed or suspicious SGI files

🧯 If You Can't Patch

Implement network segmentation to isolate QNX systems
Deploy application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check QNX SDP version and verify if SGI image processing is enabled

Check Version:

uname -a or check QNX system version via system commands

Verify Fix Applied:

Verify patch installation and test with known safe SGI images

📡 Detection & Monitoring

Log Indicators:

Image processing service crashes
Memory access violation errors
Unexpected process termination

Network Indicators:

Unusual SGI file transfers to QNX systems
Network traffic to/from image processing services

SIEM Query:

Process: (name contains 'image' OR 'codec') AND (event_type contains 'crash' OR 'exception')

📊 Metadata

CVE ID: CVE-2024-35213

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-1287

Published: June 11, 2024

Last Updated: December 1, 2025

🔗 References

https://support.blackberry.com/pkb/s/article/139914 Vendor Advisory
https://support.blackberry.com/pkb/s/article/139914 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35213, you might also want to check these: