August 19th, 2021: CyberHoot has received notification of critical risks to our national cybersecurity. A critical vulnerability has been made public by CISA, known as “BadAlloc”. Details of the vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries are available here. CyberHoot is issuing this advisory to provide early notice of the reported vulnerabilities in the hope of assisting our clients in identifying at-risk systems and upgrading/eliminating/remediating the risks quickly and effectively.  Doing so will reduce your risk of these attacks. The vulnerabilities may allow malicious actors to exploit your systems using remote code injection/execution or simply crash your device. 

Affected Systems and Vulnerability

Below are the affected systems from this vulnerability. For more information on the specific vulnerabilities for each tool, go to https://cwe.mitre.org/data/definitions/190.html for more information. 

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0 
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-ualloc, Version 1.3.0
  • BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier
  • BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262
  • BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304
    • A full list of affected QNX products and versions is available here
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Media Tek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1 
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to 4.40.00.07
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36 
  • Windriver VxWorks, prior to 7.0
  • Zephyr Project RTOS, versions prior to 2.5

What Can You Do?

Below are mitigations for this vulnerability on the various systems it affects. The majority of systems have updates/patches available for this potential exploit. CyberHoot recommends you update immediately if you use these tools. 


Find out how CyberHoot can secure your business.