Qualcomm patches high-severity zero-day exploited in attacks

Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets.

The security flaw (CVE-2024-43047) was reported by Google Project Zero’s Seth Jenkins and Amnesty International Security Lab’s Conghui Wang, and it is caused by a use-after-free weakness that can lead to memory corruption when successfully exploited by local attackers with low privileges.

“Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed,” as explained in a DSP kernel commit.

“However, since the header buffer is exposed to users in unsigned PD, users can update invalid FDs. If this invalid FD matches with any FD that is already in use, it could lead to a use-after-free (UAF) vulnerability.”

As the company cautioned in a Monday security advisory, security researchers with Google’s Threat Analysis Group and Amnesty International Security Lab tagged the vulnerability as exploited in the wild. Both groups are known for discovering zero-day bugs exploited in spyware attacks targeting the mobile devices of high-risk individuals, including journalists, opposition politicians, and dissidents.

“There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” Qualcomm warned today. “Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible. “

Qualcomm also urged users to contact their device manufacturer for more details regarding their specific devices’ patch status.

​Today, the company also fixed an almost maximum severity flaw (CVE-2024-33066) in the WLAN Resource Manager reported more than a year ago and caused by an improper input validation weakness that could lead to memory corruption.

In October last year, Qualcomm also warned that attackers were exploiting three zero-day vulnerabilities in its GPU and Compute DSP drivers in the wild.

According to reports from Google’s Threat Analysis Group (TAG) and Project Zero teams, it was used for limited, targeted exploitation. Google and Qualcomm are yet to reveal additional information on these attacks.

In recent years, Qualcomm has also patched chipset vulnerabilities that could allow attackers to access users’ media files, text messages, call history, and real-time conversations.

Qualcomm also fixed flaws in its Snapdragon Digital Signal Processor (DSP) chip, allowing hackers to control smartphones without user interaction, spy on their users, and create unremovable malware capable of evading detection.

KrØØk, another vulnerability patched in 2020, enabled attackers to decrypt some WPA2-encrypted wireless network packets, while yet another now-fixed bug allowed access to critical data.