Qualcomm has issued an urgent call to action for OEMs following the discovery of critical vulnerabilities in its Digital Signal Processor (DSP) and WLAN components, both of which have been actively exploited in the wild. The company released security updates to address nearly two dozen flaws, encompassing proprietary and open-source elements.
The most pressing concern is the high-severity vulnerability CVE-2024-43047, which carries a CVSS score of 7.8. This user-after-free bug within the DSP Service threatens to cause memory corruption by mismanaging HLOS memory maps.Â
Notably, this vulnerability was identified by Google Project Zero researchers Seth Jenkins and Conghui Wang, with Amnesty International Security Lab confirming its exploitation in real-world scenarios.
According to Qualcomm's advisory, Google's Threat Analysis Group has found indications of limited, targeted exploitation of CVE-2024-43047. Patches addressing the issue in the FASTRPC driver have been disseminated to OEMs, along with strong recommendations for immediate deployment on affected devices.
While the full scope of these attacks remains undetermined, there are concerns that the vulnerability could be leveraged for spyware attacks against civil society members.Â
Additionally, Qualcomm's October patch includes a fix for another critical flaw in the WLAN Resource Manager (CVE-2024-33066), which, due to improper input validation, could also lead to memory corruption. This flaw carries an even higher CVSS score of 9.8, underscoring its severity.
This development is part of a broader effort to secure mobile platforms, with Google releasing its monthly Android security bulletin, covering 28 vulnerabilities that include issues in components from Imagination Technologies, MediaTek, and Qualcomm itself.
OEMs and security teams must act swiftly to implement these patches to mitigate potential threats. The industry is reminded of the critical importance of timely security updates to protect against increasingly sophisticated exploits and ensure the safety and integrity of mobile devices worldwide.
In other news, a recent Windows MSHTML spoofing zero-day flaw was added by CISA to its Known Exploited Vulnerabilities catalog.