A recent security analysis has uncovered critical vulnerabilities in the infotainment systems of KIA vehicles, raising alarm across the automotive cybersecurity community.

These flaws allow attackers to inject and execute malicious code through specially crafted PNG image files, potentially compromising vehicle safety and user privacy.

Security researchers, during an in-depth examination of KIA’s head unit and its underlying Real-Time Operating System (RTOS), found that the infotainment firmware failed to properly validate certain image file formats—most notably PNG files.

By exploiting this weakness, attackers could embed executable payloads inside images that, when processed by the infotainment system, triggered remote code execution.

he attack leverages a buffer overflow vulnerability in the image parsing library used by KIA’s infotainment system.

When a malicious PNG file is loaded—either via USB, Bluetooth, or over-the-air update—the system’s parser mishandles the image data, allowing the attacker’s code to overwrite critical memory regions.

Attack Chain

• Initial Access: The attacker delivers a malicious PNG file to the vehicle (e.g., via a USB drive or compromised update).
• Payload Execution: The infotainment system parses the image, triggering the buffer overflow.
• Privilege Escalation: The injected code runs with system-level privileges, allowing full control over the head unit.
• Potential Impact: Attackers can manipulate vehicle settings, access personal data, or pivot to other vehicle networks such as the CAN bus.