Qualcomm released security updates to patch multiple vulnerabilities, including one already actively exploited in the wild. The updates addressed almost two dozen flaws that affected proprietary and open-source components.
The critical vulnerability tracked as CVE-2024-43047 (CVSS score of 7.8) was described as a user-after-free weakness in the Digital Signal Processor (DSP) Service, which could lead to memory corruption if exploited by local adversaries with low privileges.
The chipmaker stated that Google Threat Analysis Group indicated the limited, targeted exploitation of CVE-2024-43047. Qualcomm said, “Patches for the issue affecting the FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible.”
While the scale and impact of the attacks are currently unknown, it is possible that they were used in spyware attacks targeting civil society members. The company also patched a nearly maximum severity flaw, tracked as CVE-2024-33066 (CVSS score of 9.8), in the WLAN Resource Manager due to improper input validation. It was reported over a year ago and could lead to memory corruption.
While both Google and Qualcomm have yet to release more information, the latter has previously fixed flaws in its Snapdragon DSP chip that enabled attackers to control smartphones without interacting with the user, develop unremovable malware that can avoid detection, and spy on users.
The company patched multiple chipset vulnerabilities in recent years, which could allow threat actors to access sensitive information such as media files, text messages, call history, and users’ ongoing conversations.
In October 2023, Qualcomm warned about three zero-day vulnerabilities in its GPU and Compute DSP drivers that were actively exploited in the wild.
The company released security updates after Google released its monthly security bulletin, which fixed 28 flaws, including issues identified in the components of MediaTek, Imagination Technologies, and Qualcomm.
The flaw was reported by Google Project Zero researchers Seth Jenkins and Conghui Wang of Amnesty International Security Lab, while Wang confirmed the in-the-wild activity.
In the News: LatePoint plugin vulnerabilities affect more than 7,000 websites