CVE-2025-8090 identifies a null pointer dereference vulnerability classified under CWE-476 in the MsgRegisterEvent() system call within the QNX Neutrino Kernel, part of BlackBerry's QNX Software Development Platform (SDP) versions 7.0 and 7.1 and QNX OS for Safety versions 2.0 through 2.2. The vulnerability arises when the kernel attempts to access a null pointer during event registration, leading to a kernel panic or crash. An attacker with local access and the ability to execute code can trigger this condition, causing a denial of service by crashing the kernel and potentially requiring a system reboot. The vulnerability does not allow for privilege escalation, data leakage, or code execution beyond the initial local access but disrupts system availability. The CVSS v3.1 base score is 6.2, reflecting medium severity, with attack vector as local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N, I:N), and high impact on availability (A:H). There are no known exploits in the wild, and no patches have been released at the time of publication. This vulnerability is particularly relevant for embedded systems and safety-critical environments where QNX is deployed, such as automotive infotainment, industrial control systems, and medical devices. The lack of remote exploitability limits the attack surface but does not eliminate risk in environments where local access is possible. The vulnerability underscores the importance of robust access controls and monitoring in systems running QNX SDP.

The primary impact of CVE-2025-8090 is a denial of service condition caused by a kernel crash, which can disrupt operations of embedded and safety-critical systems running QNX SDP. For European organizations, especially those in automotive manufacturing, industrial automation, and critical infrastructure sectors that rely on QNX for real-time operating system capabilities, this could lead to operational downtime, safety risks, and potential financial losses. Systems affected may include vehicle infotainment units, industrial controllers, medical devices, and other embedded platforms. The inability to maintain system availability could affect production lines, transportation systems, or healthcare services. Although the vulnerability does not compromise data confidentiality or integrity, the loss of availability in safety-critical environments could have severe consequences. The requirement for local access limits the threat to insiders or attackers who have already breached perimeter defenses, but once inside, the attacker could cause significant disruption. The absence of known exploits reduces immediate risk but does not preclude future exploitation attempts.

To mitigate CVE-2025-8090, organizations should implement strict access controls to limit local access to systems running QNX SDP, including physical security measures and network segmentation to prevent unauthorized lateral movement. Monitoring and alerting for kernel crashes and abnormal system behavior can provide early warning of exploitation attempts. Employing host-based intrusion detection systems tailored for embedded environments may help detect suspicious activity. Organizations should prepare for rapid deployment of patches once BlackBerry releases updates addressing this vulnerability. In the interim, consider applying vendor-recommended workarounds or disabling non-essential services that invoke MsgRegisterEvent() if feasible. Conduct thorough audits of user privileges and remove unnecessary local accounts to reduce the attack surface. For safety-critical systems, ensure fail-safe mechanisms and redundancy are in place to maintain operational continuity in case of a crash. Regularly update and test incident response plans to handle potential denial of service events caused by this vulnerability.